Release different value for affiliation based on service provider
Baron Fujimoto
baron at hawaii.edu
Tue Nov 13 20:06:47 EST 2012
On Tue, Nov 13, 2012 at 11:17:21PM +0000, john spence wrote:
>I'm trying to find a way to release an attribute with different values
>based on the service provider making the request.
>
>For example, release "eduPersonScopedAffiliation" with a specific
>value of "Member" to some providers but release a more specific value
>such as "Staff" , "Student" to other providers.
>I would like to be able to do the same with "entitlement" as well so
>as not to overfill the attribute with information only a couple of
>specific providers are actually interested in.
>
>I'm sure it must be possible, but I cannot find the rule or syntax to
>allow this kind of variation. I remember finding something I though
>would be perfect, but have been unable to find it again after quite a
>lot of searching.
>
>I cannot see anyway to pass the service provider name/url to a
>database stored procedure which would ideally move the logic out of
>shibboleth or even just a way to say, use this source for the
>attribute if the provider is X otherwise use this source for the
>value.
>
>Can anyone point me in the right direction of an answer or tell me it
>just is not possible.
We do something like this with "mapped" resolvers.
===== conf/attribute-resolver.xml =====
<!-- UH EduPersonAffiliation -->
<!-- -->
<!-- * map faculty/staff -> "Member" -->
<resolver:AttributeDefinition xsi:type="ad:Mapped"
id="uh_eduPersonAffiliation"
sourceAttributeID="edupersonaffiliation">
<resolver:Dependency ref="UH_LDAP" />
<!-- map faculty/staff -> "Member" -->
<ad:ValueMap>
<ad:ReturnValue>Member</ad:ReturnValue>
<ad:SourceValue ignoreCase="true">faculty</ad:SourceValue>
<ad:SourceValue ignoreCase="true">staff</ad:SourceValue>
</ad:ValueMap>
</resolver:AttributeDefinition>
<!-- /uh_eduPersonAffiliation -->
<!-- UH eduPersonAffiliation includes "student" -->
<!-- * map faculty/staff/student -> "member" -->
<resolver:AttributeDefinition xsi:type="ad:Mapped"
id="uh_eduPersonAffiliation_includeStudent"
sourceAttributeID="edupersonaffiliation">
<resolver:Dependency ref="UH_LDAP" />
<!-- map faculty/staff/student -> "member" -->
<ad:ValueMap>
<ad:ReturnValue>Member</ad:ReturnValue>
<ad:SourceValue ignoreCase="true">faculty</ad:SourceValue>
<ad:SourceValue ignoreCase="true">staff</ad:SourceValue>
<ad:SourceValue ignoreCase="true">student</ad:SourceValue>
</ad:ValueMap>
</resolver:AttributeDefinition>
<!-- /uh_eduPersonAffiliation_includeStudent -->
======
These two variants differ by their inclusion of students. You could choose
mappings that provide the results you want.
Then, we select the resolved attribute we want in the attribute-filter.xml.
I think trivial examples would look something like this.
===== conf/attribute-filter.xml =====
<!-- SP_1 -->
<afp:AttributeFilterPolicy id="sp_1">
<afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
value="https://sp1.example.com" />
<afp:AttributeRule attributeID="uh_eduPersonAffiliation">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
<!-- /SP_1 -->
<!-- SP_2 -->
<afp:AttributeFilterPolicy id="sp_2">
<afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
value="https://sp2.example.org" />
<afp:AttributeRule attributeID="uh_eduPersonAffiliation_includeStudent">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
<!-- /SP_2 -->
======
--
Baron Fujimoto <baron at hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
More information about the users
mailing list