Help with InCommon and National Student Clearing House
Melvin Lasky
melvin.lasky at manhattan.edu
Wed Sep 28 20:21:17 UTC 2022
Ok that’s good to know….
I added your section in relying-party so I think they now have something wrong on their end.
Thanks for your assistance.
I’m still waiting for them to respond.
Mel
Melvin Lasky
Associate Director of Enterprise Architecture
Riverdale, NY 10471
Phone: 718-862-7410
melvin.lasky at manhattan.edu
www.manhattan.edu
> On Sep 28, 2022, at 1:30 PM, IAM David Bantz <dabantz at alaska.edu> wrote:
>
> As far as I can tell, NSC does ignore the additional attributes released because their SP is in InCommon. I don’t filter them out.
>
> I believe they required a persistent nameID in the subject, which may require an override configured, e.g..:
> <!-- National Student Clearing House wants "persistent" nameID -->
> <bean parent="RelyingPartyByName" c:relyingPartyIds="#{{'https://id.studentclearinghouse.org/saml2/service-provider/myhub'} <https://www.google.com/url?q=https://id.studentclearinghouse.org/saml2/service-provider/myhub%27%7D&source=gmail-imap&ust=1664991006000000&usg=AOvVaw1FPN22F2PPa4gqVdQ-6vxc>}">
> <property name="profileConfigurations">
> <list>
> <bean parent="SAML2.SSO"
> p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" >
> <property name="defaultAuthenticationMethods">
> <list>
> <bean parent="shibboleth.SAML2AuthnContextClassRef"
> c:classRef="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" />
> <bean parent="shibboleth.SAML2AuthnContextClassRef"
> c:classRef="https://refeds.org/profile/mfa <https://www.google.com/url?q=https://refeds.org/profile/mfa&source=gmail-imap&ust=1664991006000000&usg=AOvVaw3LVyMNXziYc9RBbTOxncvQ>" />
> </list>
> </property>
> </bean>
>
> </list>
> </property>
> </bean>
>
> My attribute policy is simple, parallel to yours:
>
> <AttributeFilterPolicy id="releaseToNSC">
> …
> <!— ePUID released to appear as persistent NameID -->
> <AttributeRule attributeID="eduPersonUniqueID">
> <PermitValueRule xsi:type="ANY" />
> </AttributeRule>
> <AttributeRule attributeID="NSCEmailAddress">
> <PermitValueRule xsi:type="ANY" />
> </AttributeRule>
> <AttributeRule attributeID="NSCGivenName">
> <PermitValueRule xsi:type="ANY" />
> </AttributeRule>
> <AttributeRule attributeID="NSCLastName">
> <PermitValueRule xsi:type="ANY" />
> </AttributeRule>
> <!-- ID# is UA ID # -->
> <AttributeRule attributeID="NSCSchoolAssignedPersonID">
> <PermitValueRule xsi:type="ANY" />
> </AttributeRule>
> </AttributeFilterPolicy>
>
> David St Pierre Bantz
> U Alaska
>
> On 28Sep2022 at 08:05:40, Melvin Lasky via users <users at shibboleth.net <mailto:users at shibboleth.net>> wrote:
>> Hey everyone,
>> I’m having an issue with the national student clearing house. They wanted 4 specific attributes, named in a specific way. I have done that, but not only does it send the four they want, it also sends the InCommon attributes. I guess it matches both.
>>
>> How can I exclude the sending of the InCommon attributes while enabling the specific four for the Clearing House people.
>>
>> I hope this makes sense.
>>
>> <AttributeFilterPolicy id="releaseForNSC" >
>> <PolicyRequirementRule xsi:type="Requester" value=“<ValueProvidedByNSC>" />
>> <AttributeRule attributeID="SchoolAssignedPersonID" permitAny="true" />
>> <AttributeRule attributeID="EmailAddress" permitAny="true" />
>> <AttributeRule attributeID="GivenName" permitAny="true" />
>> <AttributeRule attributeID="LastName" permitAny="true" />
>> </AttributeFilterPolicy>
>>
>>
>> And I have this after (I use the InCommon Shib Docker Container):
>>
>> <!-- Attribute release for all InCommon SPs -->
>> <AttributeFilterPolicy id="releaseToInCommon">
>> <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
>> attributeName="http://macedir.org/entity-category <https://www.google.com/url?q=http://macedir.org/entity-category&source=gmail-imap&ust=1664991006000000&usg=AOvVaw1BbuYJq73_UCCGLEbYF3yy>"
>> attributeValue="http://id.incommon.org/category/registered-by-incommon <https://www.google.com/url?q=http://id.incommon.org/category/registered-by-incommon&source=gmail-imap&ust=1664991006000000&usg=AOvVaw0UHNSIQ6EGNG6nVZKN_lOx>"/>
>> <AttributeRule attributeID="eduPersonPrincipalName">
>> <PermitValueRule xsi:type="ANY" />
>> </AttributeRule>
>> <AttributeRule attributeID="eduPersonScopedAffiliation">
>> <PermitValueRule xsi:type="ANY" />
>> </AttributeRule>
>> <AttributeRule attributeID="givenName">
>> <PermitValueRule xsi:type="ANY" />
>> </AttributeRule>
>> <AttributeRule attributeID="surname">
>> <PermitValueRule xsi:type="ANY" />
>> </AttributeRule>
>> <AttributeRule attributeID="displayName">
>> <PermitValueRule xsi:type="ANY" />
>> </AttributeRule>
>> <AttributeRule attributeID="mail">
>> <PermitValueRule xsi:type="ANY" />
>> </AttributeRule>
>> </AttributeFilterPolicy>
>>
>>
>> shib-idp;idp-process.log;dev;nothing; - [IPADDRESS]2022-09-22 13:32:18,401 - INFO [Shibboleth-Audit.SSO:283] - 2022-09-22T13:32:18.401715Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST| random_characters | ValueProvidedByNSC |http://shibboleth.net/ns/profiles/saml2/sso/browser|https://ouridp.domain.ed/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST| <https://www.google.com/url?q=http://shibboleth.net/ns/profiles/saml2/sso/browser%7Chttps://ouridp.domain.ed/idp/shibboleth%7Curn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST%7C&source=gmail-imap&ust=1664991006000000&usg=AOvVaw0ILMj0mwTKWUrtXzHffu1j> random_characters |myudernamer|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|eduPersonScopedAffiliation,mail,surname,displayName,givenName,GivenName,eduPersonPrincipalName,LastName,EmailAddress,SchoolAssignedPersonID|random_characters| random_characters |
>>
>> So not exactly sure what to do.
>>
>> They have not been very responsive to say the least. This is the first time I’m having an issue with an InCommon provider. Usually it’s 1-2-3.
>>
>> Mel
>>
>> Melvin Lasky
>> Associate Director of Enterprise Architecture
>>
>> <1.jpeg>
>>
>>
>>
>> Riverdale, NY 10471
>> Phone: 718-862-7410
>> melvin.lasky at manhattan.edu <mailto:melvin.lasky at manhattan.edu>
>> www.manhattan.edu <https://www.google.com/url?q=http://www.manhattan.edu&source=gmail-imap&ust=1664991006000000&usg=AOvVaw1aEy4niqktl3uw6PE_SePo>
>>
>>
>> --
>> For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw <https://www.google.com/url?q=https://shibboleth.atlassian.net/wiki/x/ZYEpPw&source=gmail-imap&ust=1664991006000000&usg=AOvVaw0lTMgxNhHP2dyd8ysW-QEz>
>> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net <mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220928/864601c3/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1.jpeg
Type: image/jpeg
Size: 3547 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20220928/864601c3/attachment.jpeg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1403 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20220928/864601c3/attachment.p7s>
More information about the users
mailing list