...
For Shibboleth IdP
The new IdP v3 config that has been put in place includes consuming a CCC system-wide, centrally managed "attribute release file" (a central attribute-filter.xml file) from a HTTPS URL (with checking that the certificate matches for security.) The IdP automatically checks for updates for that file and if changes have been found will reload the file. That "CCC-wide central attribute-filter.xml file" already contains the following attribute release rules for the proxy. You can tell if your IdP has that file by checking in the IdP's conf/ directory for the file 'conf/attribute-filter.ccccentral.xml'. Otherwise, add the following to the IdP's conf/attribute-filter.xml file, or however you configure attribute release in whatever SAML IdP software that you are using.
| Code Block |
|---|
<!--
Release all required and optional attributes, for any service,
to the CCC IdP Proxy, so it in turn can release only the
needed attributes to the services on the other side
of the IdP Proxy. All attributes will not be sent to all services,
just the needed ones for a given service. The attributes here should
constitute a "union" of all possible attributes for any service.
-->
<AttributeFilterPolicy id="CCCWideReleaseForIdPProxy">
<PolicyRequirementRule xsi:type="OR">
<Rule xsi:type="Requester" value="https://sso.ci.cccmypath.org/simplesaml/module.php/saml/sp/metadata.php"/>
<Rule xsi:type="Requester" value="https://sso.test.cccmypath.org/simplesaml/module.php/saml/sp/metadata.php"/>
<Rule xsi:type="Requester" value="https://sso.pilot.cccmypath.org/simplesaml/module.php/saml/sp/metadata.php"/>
<Rule xsi:type="Requester" value="https://sso.cccmypath.org/simplesaml/module.php/saml/sp/metadata.php"/>
</PolicyRequirementRule>
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="uid">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="email">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="surname">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="displayName">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="eduPersonAffiliation">
<PermitValueRule xsi:type="OR">
<Rule xsi:type="Value" value="faculty" ignoreCase="true"/>
<Rule xsi:type="Value" value="student" ignoreCase="true"/>
<Rule xsi:type="Value" value="staff" ignoreCase="true"/>
<Rule xsi:type="Value" value="alum" ignoreCase="true"/>
<Rule xsi:type="Value" value="member" ignoreCase="true"/>
<Rule xsi:type="Value" value="affiliate" ignoreCase="true"/>
<Rule xsi:type="Value" value="employee" ignoreCase="true"/>
<Rule xsi:type="Value" value="library-walk-in" ignoreCase="true"/>
</PermitValueRule>
</AttributeRule>
<AttributeRule attributeID="eduPersonPrimaryAffiliation">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<!-- CCC specific attributes -->
<AttributeRule attributeID="cccId">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="cccMisCode">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<!-- Less likely attributes to be populated, but release if available -->
<AttributeRule attributeID="mobileNumber">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="homePhone">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="telephoneNumber">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="postalAddress">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="street">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="locality">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="stateProvince">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="postalCode">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
</AttributeFilterPolicy> |
...