IDEM GARR AAI Example: Configuring an IdP
Italian IDEM Federation recommends the following approach to configure Shibboleth IdP v4.3.1 (or later) to release a subset of attributes to all CoCo v1 SPs, including CoCo v1 SPs in other federations, as follows:
A Shib IdP config that releases attributes to ALL CoCo SPs
<!-- GEANT Data protection Code of Conduct -->
<AttributeFilterPolicy id="releaseToCoCo">
<PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" />
<AttributeRule attributeID="eduPersonTargetedID">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="AND">
<Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
<Rule xsi:type="OR">
<Rule xsi:type="Value" value="faculty" caseSensitive="true" />
<Rule xsi:type="Value" value="student" caseSensitive="true" />
<Rule xsi:type="Value" value="staff" caseSensitive="true" />
<Rule xsi:type="Value" value="alum" caseSensitive="true" />
<Rule xsi:type="Value" value="member" caseSensitive="true" />
<Rule xsi:type="Value" value="affiliate" caseSensitive="true" />
<Rule xsi:type="Value" value="employee" caseSensitive="true" />
<Rule xsi:type="Value" value="library-walk-in" caseSensitive="true" />
</Rule>
</PermitValueRule>
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="displayName">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="eduPersonAffiliation">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="eduPersonOrcid">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="sn">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="eduPersonEntitlement">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="cn">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="eduPersonOrgDN">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="title">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="telephoneNumber">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="eduPersonOrgUnitDN">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="schacPersonalTitle">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="schacPersonalUniqueID">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="schacPersonalUniqueCode">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="schacHomeOrganization">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="schacHomeOrganizationType">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="schacUserPresenceID">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="mobile">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="schacMotherTongue">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="preferredLanguage">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<!-- Other SCHAC attributes -->
<AttributeRule attributeID="schacGender">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="schacDateOfBirth">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="schacPlaceOfBirth">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="schacCountryOfCitizenship">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="schacSn1">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="schacSn2">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="schacCountryOfResidence">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="schacPersonalUniqueCode">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="schacExpiryDate">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="schacUserPrivateAttribute">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="schacUserStatus">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="schacProjectMembership">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="schacProjectSpecificRole">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="schacYearOfBirth">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<!-- Other eduPerson attributes -->
<AttributeRule attributeID="eduPersonNickname">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="eduPersonPrimaryAffiliation">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="eduPersonPrimaryOrgUnitDN">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="eduPersonAssurance">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="eduPersonPrincipalNamePrior">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="eduPersonUniqueId">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
</AttributeFilterPolicy>