Versions Compared

Old Version 3

changes.mady.by.user Andrijana Todosijevic

Saved on

compared with

New Version 4

changes.mady.by.user Andrijana Todosijevic

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To release the recommended attributes to a particular Service Provider with a Shibboleth Identity Provider, edit the file "/opt/shibboleth-idp/conf/attribute-filter.xml". The add the following code before the "</AttributeFilterPolicyGroup>" tag and change the entityID (https://sp.example.org/shibboleth) to the entityID of an actual Service Provider:

Code Block
languagexml
linenumberstrue
<!-- Example SP -->
<AttributeFilterPolicy id="Example-SP">
    <PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
    value="https://sp.example.org/shibboleth" />
  
    <afp:AttributeRule attributeID="displayName"><afp:PermitValueRule xsi:type="basic:ANY"/></afp:AttributeRule>
    <afp:AttributeRule attributeID="commonName"><afp:PermitValueRule xsi:type="basic:ANY"/></afp:AttributeRule>
    <afp:AttributeRule attributeID="email"><afp:PermitValueRule xsi:type="basic:ANY"/></afp:AttributeRule>
    <afp:AttributeRule attributeID="eduPersonPrincipalName"><afp:PermitValueRule xsi:type="basic:ANY"/></afp:AttributeRule>
    <afp:AttributeRule attributeID="eduPersonAffiliation"><afp:PermitValueRule xsi:type="basic:ANY"/></afp:AttributeRule>
    <afp:AttributeRule attributeID="eduPersonScopedAffiliation"><afp:PermitValueRule xsi:type="basic:ANY"/></afp:AttributeRule>
    <afp:AttributeRule attributeID="schacHomeOrganization"><afp:PermitValueRule xsi:type="basic:ANY"/></afp:AttributeRule>
    <afp:AttributeRule attributeID="schacHomeOrganizationType"><afp:PermitValueRule xsi:type="basic:ANY"/></afp:AttributeRule>
 </AttributeFilterPolicy>

Instead of manually configuring attribute release rules, you may also consider implementing the Data Protection Code of Conduct that helps to automatically release attributes to a particular Service Provider that signed the Code of Conduct.


How to test the release of the recommended attributes to the Example Service Provider

The Shibboleth Identity Provider comes with a script called AACLI that allows to test the release of attributes:
If you have installed the Shibboleth IdP into its default path, you can execute the command

Code Block
languagetext
/opt/shibboleth-idp/bin/aacli.sh \
  --principal=##USERID-on-LDAP## \
  --configDir=/opt/shibboleth-idp/conf \ 
  --requester=https://sp.example.com/shibboleth-sp