SP - attribute-policy.xml - filter by entity?

Douglas Spooner spoonerd at rsc.org
Wed Dec 21 15:39:25 GMT 2011 

Hi

We are using Shib SP 2.4.3 on a 32-bit Windows platform. We are integrated with several other federations and so far haven't had to make too many changes to our SP configuration to accommodate these federations most of the time I've been able to work out changes needed via the wiki or other peoples archived posts.

But I've come across an issue that I need some help on please. One federations I'm in the process of integrating with only wants us to accept certain values for eduPersonAffiliation

For Example

Fed 1,2,3 want us to accept faculty, student, staff, member, employee.
Fed 4 wants us to only accept faculty, student, staff

I figured it might be possible to do something similar like I did with the credential resolver & relyingparty for specific federations. (all had different rules about cert expiry etc)

Is it possible in the attribute-policy.xml to setup a rule to filter by the entity descriptor name & if so how?

If not is there another way around it or is it even possible?

I've been over https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAddAttributeFilter (I think this is what I should be looking at?) a few times but I can't quite work out where to start with that as the examples just deal with IDP's releasing to SP's.

I'm no Shibboleth expert if you can reply or offer advice assume I my knowledge is limited.

Thanks for reading.

Doug

<afp:AttributeFilterPolicyGroup
    xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"
    xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
    xmlns:afp="urn:mace:shibboleth:2.0:afp"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

    <!-- Shared rule for affiliation values. -->
    <afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
        <Rule xsi:type="AttributeValueString" value="faculty"/>
        <Rule xsi:type="AttributeValueString" value="student"/>
        <Rule xsi:type="AttributeValueString" value="staff"/>
        <Rule xsi:type="AttributeValueString" value="member"/>
        <Rule xsi:type="AttributeValueString" value="employee"/>
    </afp:PermitValueRule>



    <!--
    Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
    an AttributeRule for each attribute you want to check.
    -->
    <afp:PermitValueRule id="ScopingRules" xsi:type="AND">
        <Rule xsi:type="NOT">
            <Rule xsi:type="AttributeValueRegex" regex="@"/>
        </Rule>
        <Rule xsi:type="saml:AttributeScopeMatchesShibMDScope" xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"/>
    </afp:PermitValueRule>

    <afp:AttributeFilterPolicy>
        <!-- This policy is in effect in all cases. -->
        <afp:PolicyRequirementRule xsi:type="ANY"/>

        <!-- Filter out undefined affiliations and ensure only one primary. -->
        <afp:AttributeRule attributeID="affiliation">
            <afp:PermitValueRule xsi:type="AND">
                <RuleReference ref="eduPersonAffiliationValues"/>
                <RuleReference ref="ScopingRules"/>
            </afp:PermitValueRule>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="unscoped-affiliation">
            <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="primary-affiliation">
            <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
        </afp:AttributeRule>

        <afp:AttributeRule attributeID="eppn">
            <afp:PermitValueRuleReference ref="ScopingRules"/>
        </afp:AttributeRule>

        <afp:AttributeRule attributeID="targeted-id">
            <afp:PermitValueRuleReference ref="ScopingRules"/>
        </afp:AttributeRule>

        <!-- Catch-all that passes everything else through unmolested. -->
        <afp:AttributeRule attributeID="*">
            <afp:PermitValueRule xsi:type="ANY"/>
        </afp:AttributeRule>

    </afp:AttributeFilterPolicy>

</afp:AttributeFilterPolicyGroup>




DISCLAIMER:

This communication (including any attachments) is intended for the use of the addressee only and may contain confidential, privileged or copyright material. It may not be relied upon or disclosed to any other person without the consent of the RSC. If you have received it in error, please contact us immediately. Any advice given by the RSC has been carefully formulated but is necessarily based on the information available, and the RSC cannot be held responsible for accuracy or completeness. In this respect, the RSC owes no duty of care and shall not be liable for any resulting damage or loss. The RSC acknowledges that a disclaimer cannot restrict liability at law for personal injury or death arising through a finding of negligence. The RSC does not warrant that its emails or attachments are Virus-free: Please rely on your own screening. The Royal Society of Chemistry is a charity, registered in England and Wales, number 207890 - Registered office: Thomas Graham House, Science Park, Milton Road, Cambridge CB4 0WF
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20111221/29dfb0e6/attachment.html

More information about the users mailing list