>>> On 26/01/2011 at 11:11, in message
<[log in to unmask]>, Jon Warbrick
<[log in to unmask]> wrote:
> Could you possibly post your attribute-resolver and attribute-filter
> entries for eduPersonTargetID? As I understand it (and I need urgently to
> do some more research here) there's more than one way of generating and
> perhaps filtering this attribute, and some _may_ break personalisation. I
> see no reason not to try and ride on your coat tails given that you
> apparently have a tested solution that works!
>
I'm a great fan of this approach ( I think I remember that half of my Shib 1 configuration came from Cambridge :-)
I don't think you'll find a whole lot of surprise in whats below though, most of it I cut and pasted (great fan of that too) off the uk federation site (http://www.ukfederation.org.uk/content/Documents/Setup2IdP)
The only thing you'll find different is that I choose to create an attribute in eduPersonTargetedID.old for SAML2 called "eduPersonTargetedID", this was primarily to keep a local SP happy.
resolver:
<!-- Computed targeted ID connector -->
<resolver:DataConnector xsi:type="ComputedId" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="computedID"
generatedAttributeID="computedID"
sourceAttributeID="workforceID"
salt="blah blah.....">
<resolver:Dependency ref="myLDAP" />
</resolver:DataConnector>
<resolver:AttributeDefinition id="eduPersonTargetedID.old" xsi:type="Scoped" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
scope="dundee.ac.uk" sourceAttributeID="computedID">
<resolver:Dependency ref="computedID" />
<resolver:AttributeEncoder xsi:type="SAML1ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:eduPersonTargetedID" />
<resolver:AttributeEncoder xsi:type="SAML2ScopedString"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:eduPersonTargetedID"
friendlyName="eduPersonTargetedID" />
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="eduPersonTargetedID" xsi:type="SAML2NameID" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
nameIdFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
sourceAttributeID="computedID">
<resolver:Dependency ref="computedID" />
<resolver:AttributeEncoder xsi:type="SAML1XMLObject" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" />
<resolver:AttributeEncoder xsi:type="SAML2XMLObject" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" friendlyName="eduPersonTargetedID" />
</resolver:AttributeDefinition>
filter:
This is the catchall at the end:
<AttributeFilterPolicy id="basiceepset">
<PolicyRequirementRule xsi:type="basic:ANY" />
<AttributeRule attributeID="eduPersonAffiliation">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonTargetedID">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonTargetedID.old">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
HTH
But I don't think there are any surprises?
Andy
************************************************************
Please consider the environment. Do you really need to print this email?
The University of Dundee is a registered Scottish charity, No: SC015096
|