Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note

Releasing attributes "to a federation" in this way assumes all of the SPs in the aggregate are equally trustworthy. If the aggregate corresponds to a single federation with adequate privacy controls, such a policy might be warranted. In other situations, it might be preferable to restrict the release of attributes to SPs that meet certain requirements. One approach is to restrict attribute release to SPs possessing a particular entity attribute, as shown in the example below.

Release

...

an Attribute Bundle to any SP Registered by InCommon

Contributed By: Tom Scavo, Internet2

...

Expand
titleShow Example
Code Block
languagexml
<AttributeFilterPolicy id="releaseEssentialAttributeBundle">

  <!-- this policy is active for a requester with the following entity attribute -->
  <PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://id.incommon.org/category/registered-by-incommon"/>

  <AttributeRule attributeID="eduPersonPrincipalName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="email">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="displayName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="givenName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="surname">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>

</AttributeFilterPolicy>

Release an Attribute Bundle

...

to any Research & Scholarship SP

Anchor
EntityAttribute
EntityAttribute
Contributed By: Tom Scavo, Internet2

...

Anchor
AttributeInMetadata
AttributeInMetadata

Release a Minimal Attribute Bundle

...

to any Research & Scholarship SP

Contributed By: Tom Scavo, Internet2

...