Help with Specific Attribute Filter

Mak, Steve makst at upenn.edu
Fri Nov 12 16:03:09 UTC 2021 

You can make a new filter policy just for that SP and set a deny rule on eduPersonScopedAffiliation. Deny rules always win.

From: users <users-bounces at shibboleth.net> on behalf of Jason Rotunno <jrotunno at swarthmore.edu>
Reply-To: Shib Users <users at shibboleth.net>
Date: Friday, November 12, 2021 at 11:01 AM
To: Shib Users <users at shibboleth.net>
Subject: Help with Specific Attribute Filter

Hey All,

We're running Shibboleth IdP 4.0.1 and have an attribute filter to release a set of core attributes to InCommon members:

<!-- Attribute release for all InCommon SPs -->
<AttributeFilterPolicy id="releaseToInCommon">
    <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
                    attributeName="http://macedir.org/entity-category<https://urldefense.com/v3/__http:/macedir.org/entity-category__;!!IBzWLUs!C1_TXp1E72lGzoj5JEZUiCuW6FAg9rdwyUb7lM-x_3jFmBNhnvXgmLo9OKR5pA$>"
                    attributeValue="http://id.incommon.org/category/registered-by-incommon<https://urldefense.com/v3/__http:/id.incommon.org/category/registered-by-incommon__;!!IBzWLUs!C1_TXp1E72lGzoj5JEZUiCuW6FAg9rdwyUb7lM-x_3jFmBNhnvXgmLp5-Y-UWg$>"/>
    <AttributeRule attributeID="eduPersonPrincipalName">
        <PermitValueRule xsi:type="ANY" />
    </AttributeRule>
    <AttributeRule attributeID="eduPersonScopedAffiliation">
        <PermitValueRule xsi:type="ANY" />
    </AttributeRule>
    <AttributeRule attributeID="givenName">
        <PermitValueRule xsi:type="ANY" />
    </AttributeRule>
    <AttributeRule attributeID="surname">
        <PermitValueRule xsi:type="ANY" />
    </AttributeRule>
    <AttributeRule attributeID="displayName">
        <PermitValueRule xsi:type="ANY" />
    </AttributeRule>
    <AttributeRule attributeID="email">
        <PermitValueRule xsi:type="ANY" />
    </AttributeRule>
</AttributeFilterPolicy>

There's a particular InCommon SP for which we have to omit sending the eduPersonScopedAffiliation attribute and I haven't been able to figure out how to do that. Does anyone have an idea of how to achieve this?

Thanks,
Jason


--

Jason Rotunno

System & Security Administrator

Swarthmore College

500 College Ave

Swarthmore, PA 19081

610.328.8505

VERIFY before you click!!

  - Attackers make their emails look like they come from someone they don't.

  - Attackers make links look like they go to websites they don't.

  - Attackers disguise malware as receipts, invoices, faxes, etc.

Forward suspicious emails to phishing at swarthmore.edu<mailto:phishing at swarthmore.edu>.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20211112/739734a7/attachment.htm>

More information about the users mailing list