Click here for the english version
Le support de la spécification Research and Scholarship (R&S) implique pour l'IdP d'être capable de diffuser les différents attributs du jeu d'attributs R&S à l'ensemble des SPs R&S.
En terme de configuration, cela nécessite d'ajouter une politique de filtrage d'attributs spécifique au niveau du fichier attribute-filter.xml de l'IdP.
Deux options de configuration sont possibles :
Ces 2 options sont détaillées ci-dessous.
research-and-scholarship (présent dans les métadonnées des SPs de la fédération) comme base de la politique de filtrage.<md:RequestedAttribute> (présent dans les métadonnées des SPs de la fédération) comme élément de filtrage additionnel. Ci-dessous un exemple de politique de filtrage permettant de diffuser tous les attributs du jeu d'attributs R&S (liste statique) :
<!-- R&S entities: release R&S attributes automatically --> <AttributeFilterPolicy id="RSEntitiesFilterPolicy"> <PolicyRequirementRule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship"/> <!-- release of ePPN is REQUIRED --> <AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <!-- if your deployment of ePPN is non-reassigned, release of ePTID is OPTIONAL --> <AttributeRule attributeID="eduPersonTargetedID"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <!-- release of mail is REQUIRED --> <AttributeRule attributeID="mail"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <!-- either displayName or (givenName and sn) is REQUIRED but all three are RECOMMENDED --> <AttributeRule attributeID="displayName"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <AttributeRule attributeID="surName"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <!-- release of ePSA is OPTIONAL --> <AttributeRule attributeID="eduPersonScopedAffiliation"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> </AttributeFilterPolicy>
Ci-dessous un exemple de politique de filtrage permettant de diffuser une liste dynamique d'attributs R&S, en fonction de leur présence ou non dans les métadonnées des SPs de la fédération.
Renater recommande cette option car elle permet à l'IdP de ne diffuser que les attributs R&S demandés par les SPs R&S.
<afp:AttributeFilterPolicy id="releaseDynamicSubsetRandSAttributeBundle"> <!-- for Shib IdP V3, use type saml:EntityAttributeExactMatch instead --> <afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship"/> <!-- a dynamic subset of the Research & Scholarship Attribute Bundle --> <!-- release ePPN iff ePPN is listed in metadata --> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> <!-- release ePTID iff either ePTID or ePPN are listed in metadata --> <afp:AttributeRule attributeID="eduPersonTargetedID"> <afp:PermitValueRule xsi:type="basic:OR"> <basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> <basic:Rule xsi:type="saml:AttributeInMetadata" attributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"/> </afp:PermitValueRule> </afp:AttributeRule> <!-- if ePPN is non-reassigned, the above rule may be simplified or even commented out since ePTID is optional --> <!-- release mail iff mail is listed in metadata --> <afp:AttributeRule attributeID="mail"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> <!-- release displayName iff displayName or (givenName + sn) are listed in metadata --> <afp:AttributeRule attributeID="displayName"> <afp:PermitValueRule xsi:type="basic:OR"> <basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> <basic:Rule xsi:type="basic:AND"> <basic:Rule xsi:type="saml:AttributeInMetadata" attributeName="urn:oid:2.5.4.42"/> <basic:Rule xsi:type="saml:AttributeInMetadata" attributeName="urn:oid:2.5.4.4"/> <basic:Rule xsi:type="basic:AND"> </afp:PermitValueRule> </afp:AttributeRule> <!-- release givenName iff givenName or displayName are listed in metadata --> <afp:AttributeRule attributeID="givenName"> <afp:PermitValueRule xsi:type="basic:OR"> <basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> <basic:Rule xsi:type="saml:AttributeInMetadata" attributeName="urn:oid:2.16.840.1.113730.3.1.241"/> </afp:PermitValueRule> </afp:AttributeRule> <!-- release surname iff surname or displayName are listed in metadata --> <afp:AttributeRule attributeID="surname"> <afp:PermitValueRule xsi:type="basic:OR"> <basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> <basic:Rule xsi:type="saml:AttributeInMetadata" attributeName="urn:oid:2.16.840.1.113730.3.1.241"/> </afp:PermitValueRule> </afp:AttributeRule> <!-- release ePSA iff ePSA is listed in metadata --> <afp:AttributeRule attributeID="eduPersonScopedAffiliation"> <afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </afp:AttributeRule> <!-- since ePSA is OPTIONAL, the above rule may be commented out --> </afp:AttributeFilterPolicy>