...
| Note |
|---|
Releasing attributes "to a federation" in this way assumes all of the SPs in the aggregate are equally trustworthy. If the aggregate corresponds to a single federation with adequate privacy controls, such a policy might be warranted. In other situations, it might be preferable to restrict the release of attributes to SPs that meet certain requirements. One approach is to restrict attribute release to SPs possessing a particular entity attribute, as shown in the example below. |
Release
...
an Attribute Bundle to any SP Registered by InCommon
Contributed By: Tom Scavo, Internet2
...
| Expand |
|---|
|
| Code Block |
|---|
| <AttributeFilterPolicy id="releaseEssentialAttributeBundle">
<!-- this policy is active for a requester with the following entity attribute -->
<PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://id.incommon.org/category/registered-by-incommon"/>
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="basic:ANY"/>
</AttributeRule>
<AttributeRule attributeID="email">
<PermitValueRule xsi:type="basic:ANY"/>
</AttributeRule>
<AttributeRule attributeID="displayName">
<PermitValueRule xsi:type="basic:ANY"/>
</AttributeRule>
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="basic:ANY"/>
</AttributeRule>
<AttributeRule attributeID="surname">
<PermitValueRule xsi:type="basic:ANY"/>
</AttributeRule>
</AttributeFilterPolicy> |
|
Release an Attribute Bundle
...
to any Research & Scholarship SP
| Anchor |
|---|
| EntityAttribute |
|---|
| EntityAttribute |
|---|
|
Contributed By: Tom Scavo, Internet2
...
| Anchor |
|---|
| AttributeInMetadata |
|---|
| AttributeInMetadata |
|---|
|
Release a Minimal Attribute Bundle
...
to any Research & Scholarship SP
Contributed By: Tom Scavo, Internet2
...