Help with InCommon and National Student Clearing House
IAM David Bantz
dabantz at alaska.edu
Wed Sep 28 17:30:03 UTC 2022
As far as I can tell, NSC does ignore the additional attributes released
because their SP is in InCommon. I don’t filter them out.
I believe they required a persistent nameID in the subject, which may
require an override configured, e.g..:
<!-- National Student Clearing House wants "persistent" nameID -->
<bean parent="RelyingPartyByName" c:relyingPartyIds="#{{'
https://id.studentclearinghouse.org/saml2/service-provider/myhub'}}">
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO"
p:nameIDFormatPrecedence=
"urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" >
<property name="defaultAuthenticationMethods">
<list>
<bean parent=
"shibboleth.SAML2AuthnContextClassRef"
c:classRef=
"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
<bean parent=
"shibboleth.SAML2AuthnContextClassRef"
c:classRef="
https://refeds.org/profile/mfa" />
</list>
</property>
</bean>
</list>
</property>
</bean>
My attribute policy is simple, parallel to yours:
<AttributeFilterPolicy id="releaseToNSC">
…
<!— ePUID released to appear as persistent NameID -->
<AttributeRule attributeID="eduPersonUniqueID">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="NSCEmailAddress">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="NSCGivenName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="NSCLastName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<!-- ID# is UA ID # -->
<AttributeRule attributeID="NSCSchoolAssignedPersonID">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
David St Pierre Bantz
U Alaska
On 28Sep2022 at 08:05:40, Melvin Lasky via users <users at shibboleth.net>
wrote:
> Hey everyone,
> I’m having an issue with the national student clearing house. They wanted
> 4 specific attributes, named in a specific way. I have done that, but not
> only does it send the four they want, it also sends the InCommon
> attributes. I guess it matches both.
>
> How can I exclude the sending of the InCommon attributes while enabling
> the specific four for the Clearing House people.
>
> I hope this makes sense.
>
> <AttributeFilterPolicy id="releaseForNSC" >
> <PolicyRequirementRule xsi:type="Requester" value=“<ValueProvidedByNSC>"
> />
> <AttributeRule attributeID="SchoolAssignedPersonID"
> permitAny="true" />
> <AttributeRule attributeID="EmailAddress" permitAny="true" />
> <AttributeRule attributeID="GivenName" permitAny="true" />
> <AttributeRule attributeID="LastName" permitAny="true" />
> </AttributeFilterPolicy>
>
>
> And I have this after (I use the InCommon Shib Docker Container):
>
> <!-- Attribute release for all InCommon SPs -->
> <AttributeFilterPolicy id="releaseToInCommon">
> <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
> attributeName="http://macedir.org/entity-category"
> attributeValue="http://id.incommon.org/category/registered-by-incommon"/>
> <AttributeRule attributeID="eduPersonPrincipalName">
> <PermitValueRule xsi:type="ANY" />
> </AttributeRule>
> <AttributeRule attributeID="eduPersonScopedAffiliation">
> <PermitValueRule xsi:type="ANY" />
> </AttributeRule>
> <AttributeRule attributeID="givenName">
> <PermitValueRule xsi:type="ANY" />
> </AttributeRule>
> <AttributeRule attributeID="surname">
> <PermitValueRule xsi:type="ANY" />
> </AttributeRule>
> <AttributeRule attributeID="displayName">
> <PermitValueRule xsi:type="ANY" />
> </AttributeRule>
> <AttributeRule attributeID="mail">
> <PermitValueRule xsi:type="ANY" />
> </AttributeRule>
> </AttributeFilterPolicy>
>
>
> shib-idp;idp-process.log;dev;nothing; - [IPADDRESS]2022-09-22 13:32:18,401
> - INFO [Shibboleth-Audit.SSO:283] -
> 2022-09-22T13:32:18.401715Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST| random_characters | ValueProvidedByNSC |
> http://shibboleth.net/ns/profiles/saml2/sso/browser|https://ouridp.domain.ed/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|
> random_characters |myudernamer|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|eduPersonScopedAffiliation,mail,surname,displayName,givenName,GivenName,eduPersonPrincipalName,LastName,EmailAddress,SchoolAssignedPersonID|random_characters| random_characters |
>
> So not exactly sure what to do.
>
> They have not been very responsive to say the least. This is the first
> time I’m having an issue with an InCommon provider. Usually it’s 1-2-3.
>
> Mel
>
> *Melvin Lasky*
> Associate Director of Enterprise Architecture
>
>
>
>
> Riverdale, NY 10471
> Phone: 718-862-7410
> melvin.lasky at manhattan.edu
> www.manhattan.edu
>
>
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220928/577ff805/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1.jpeg
Type: image/jpeg
Size: 3547 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20220928/577ff805/attachment.jpeg>
More information about the users
mailing list