Configuring IdP server
Francis Jayakanth
francis at iisc.ac.in
Sat May 8 04:47:33 UTC 2021
Dear Dr Bradlley, thank you very much for the reply and the pointers. I will explore them and also check with my institute if the additional attributes required to be released to access CILogon conform to its policies.
With regards, Francis.
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Robert Bradley <robert.bradley at it.ox.ac.uk>
Sent: 07 May 2021 20:31
To: users at shibboleth.net <users at shibboleth.net>
Subject: Re: Configuring IdP server
External Email
On 06/05/2021 05:48, Francis Jayakanth, via users, wrote:
>
> Hi, In April 2020, our library set up a shibboleth IdP server to
> facilitate federated access to subscribed online resources. Since then,
> the IdP server is serving the purpose very well.
>
> Of late, some of our users want to use federated login to access sites
> like the CILogon, https://www.cilogon.org/home
> <https://www.cilogon.org/home> but cannot do so because our IdP server
> is not releasing the attributes expected by the site. Please see the
> enclosed screenshot for your reference.
>
> Our IdP is releasing only three attributes to all the publishers to
> access the online resources - eduPersonEntitlement,
> EduPersonScopedAffiliation, and eduPersonTargetedID, and they are
> adequate to access the publishers' online resources.
>
> If you have configured your IdP server to facilitate federated login to
> sites like CILogon, NIH, can you please share the configuration details?
>
For CILogon to work, you'll need to update your published metadata to
assert Sirtfi and R&S compliance:
https://refeds.org/sirtfi
https://refeds.org/research-and-scholarship
and then implement the R&S attribute release policy configuration in:
https://wiki.refeds.org/display/ENT/Research+and+Scholarship+IdP+Config
Before doing that, you'll want to read all of those links to find out
the full details of what you're asserting, and then find out whether
your organisation can/will agree to implement it.
For NIH, you can (if I recall correctly) get away with manually
releasing the R&S attribute set (eduPersonPrincipalName, displayName,
givenName, sn, mail, eduPersonScopedAffiliation) without implementing
the R&S specification and metadata announcements. Again, this assumes
that your organisation is happy to release the attributes in accordance
with its own policies.
--
Dr Robert Bradley
Identity and Access Management Team, IT Services, University of Oxford
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210508/1d7e275b/attachment.htm>
More information about the users
mailing list