<<O>> Difference Topic ARP (r1.9 - 17 Feb 2008 - BrucLiong)

  META TOPICPARENT  WebHome 

   Attribute Release Policy (ARP)
      specific service provider, identified by their SP providerId. 


 The example below restrict the release of all the above attributes to SP whose providerID value is
-<
<
+     "urn:mace:federation.org.au:testfed:sp-error.mams.org.au":
->
>
+     "urn:mace:federation.mams.local:testfed:sp-error.mams.org.au":
      <Target>
-<
<
+        urn:mace:federation.org.au:testfed:sp-error.mams.org.au
->
>
+        urn:mace:federation.mams.local:testfed:sp-error.mams.org.au
  If you now try to access the JSP application, you will see that no attributes are released.
-<
<
+ If you change the target value back to "urn:mace:federation.org.au:testfed:sp.mams.org.au",
->
>
+ If you change the target value back to "urn:mace:federation.mams.local:testfed:sp.mams.org.au",
      all attributes will be released because the target will now match:
     <Target>
-<
<
+        urn:mace:federation.org.au:testfed:sp.mams.org.au
->
>
+        urn:mace:federation.mams.local:testfed:sp.mams.org.au

<<O>> Difference Topic ARP (r1.8 - 12 Oct 2007 - BrucLiong)

META TOPICPARENT	WebHome

Attribute Release Policy (ARP)

Line: 86 to 86

Releasing Attributes for Specific Service Provider

Assume your SP hostname is "sp.mams.org.au". You can restrict the release of each attribute to a

Changed:

<
<

specific service provider, identified by their hostname.

>
>

specific service provider, identified by their SP providerId.

The example below restrict the release of all the above attributes to SP whose providerID value is "urn:mace:federation.org.au:testfed:sp-error.mams.org.au":

<<O>> Difference Topic ARP (r1.7 - 29 Aug 2007 - BrucLiong)

META TOPICPARENT	WebHome

Attribute Release Policy (ARP)

Line: 105 to 105

Changed:

<
<

>
>

You can also manage the release of specific values by doing the following:

        <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation">
            <Value release="permit">staff</Value>
            <Value release="deny">member</Value>
        </Attribute>

Changed:

<
<

-- ChiNguyen - 19 Feb 2006

>
>

<<O>> Difference Topic ARP (r1.6 - 25 Sep 2006 - ChiNguyen)

  META TOPICPARENT  WebHome 

   Attribute Release Policy (ARP)
      specific service provider, identified by their hostname. 


 The example below restrict the release of all the above attributes to SP whose providerID value is
-<
<
+     "urn:mace:federation.org.au:testfed:level-1:sp-error.mams.org.au":
->
>
+     "urn:mace:federation.org.au:testfed:sp-error.mams.org.au":
      <Target>
-<
<
+        urn:mace:federation.org.au:testfed:level-1:sp-error.mams.org.au
->
>
+        urn:mace:federation.org.au:testfed:sp-error.mams.org.au
  If you now try to access the JSP application, you will see that no attributes are released.
-<
<
+ If you change the target value back to "urn:mace:federation.org.au:testfed:level-1:sp.mams.org.au",
->
>
+ If you change the target value back to "urn:mace:federation.org.au:testfed:sp.mams.org.au",
      all attributes will be released because the target will now match:
     <Target>
-<
<
+        urn:mace:federation.org.au:testfed:level-1:sp.mams.org.au
->
>
+        urn:mace:federation.org.au:testfed:sp.mams.org.au

<<O>> Difference Topic ARP (r1.5 - 15 Jun 2006 - ChiNguyen)

META TOPICPARENT	WebHome

Attribute Release Policy (ARP)

Line: 6 to 6

are determined by the use of Attributes Release Policies (ARPs).

A full and comprehensive description of

Changed:

<
<

ARP configuration is provided by the Shibboleth community.

>
>

ARP configuration is provided by the Shibboleth community.

It is reccommended that institutions interested in becoming an IdP should study the Shibboleth installation guide on ARP carefully.

Some key points to note:

<<O>> Difference Topic ARP (r1.4 - 13 Mar 2006 - ChiNguyen)

  META TOPICPARENT  WebHome 

   Attribute Release Policy (ARP)
      specific service provider, identified by their hostname. 


 The example below restrict the release of all the above attributes to SP whose providerID value is
-<
<
+     "urn:au:testfed:level-1:sp-error.mams.org.au":
->
>
+     "urn:mace:federation.org.au:testfed:level-1:sp-error.mams.org.au":
      <Target>
-<
<
+        urn:au:testfed:level-1:sp-error.mams.org.au
->
>
+        urn:mace:federation.org.au:testfed:level-1:sp-error.mams.org.au
  If you now try to access the JSP application, you will see that no attributes are released.
-<
<
+ If you change the target value back to "urn:au:testfed:level-1:sp.mams.org.au",
->
>
+ If you change the target value back to "urn:mace:federation.org.au:testfed:level-1:sp.mams.org.au",
      all attributes will be released because the target will now match:
     <Target>
-<
<
+        urn:au:testfed:level-1:sp.mams.org.au
->
>
+        urn:mace:federation.org.au:testfed:level-1:sp.mams.org.au

<<O>> Difference Topic ARP (r1.3 - 19 Feb 2006 - ChiNguyen)

META TOPICPARENT	WebHome

Attribute Release Policy (ARP)

Changed:

<
<

In Shibboleth, all releases of attributes that are "resolvable" by the resolver

>
>

On the Shibboleth IdP side, all releases of attributes that are "resolvable" by the resolver

are determined by the use of Attributes Release Policies (ARPs).

A full and comprehensive description of

Line: 23 to 23

To best understand how to setup the ARP in practice, we will go through setting the ARP for the following:

How to setup ARPs for differen service levels of an application?

Changed:

<
<

How to setup the release of attributes for a specific Service Provider
How to use "smartscope"?

>
>

How to setup the release of attributes for a specific Service Provider?

Changed:

<
<

Prerequsites:

>
>

Prerequisites:

Changed:

<
<

You have installed on an IdP following the instructions here.

>
>

You have installed on an IdP following the instructions here. We will be editing the site arp file, arp.site.xml, residing in /usr/local/shibboleth-idp/arps directory.

You have installed a Shibboleth Service Provider following the instructions here.

Deleted:

<
<

This is the machine where we will deploy our JSP application.

Java 1.5.x with JAVA_HOME environment set up to point to this location.

You have deploy the demo JSP application according to this guide.

Changed:

<
<

This JSP application reflects attributes and values passed via Shibboleth, and has three service levels:

>
>

This JSP application reflects attributes passed via Shibboleth, and has three service levels:

* Bronze service requires release of “eduPersonAffiliation” attribute only. * Silver service requires release of “eduPersonAffiliation” and “eduPersonNickname” attributes. * Gold service requires release of “eduPersonAffiliation”, “eduPersonNickname” and “sn” attributes.

Line: 42 to 40

Releasing Attributes for Different Service Levels

Added:

>
>

With no release of attributes, point your browser at your JSP demo page, ie http://SP_HOST/jsp-examples/demo.jsp. At the WAYF, select your IdP and after login in, you will see that your access level in none.

For bronze service, use the following content for your arp.site.xml

Line: 59 to 60

Added:

>
>

        <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname">
            <AnyValue release="permit"/>
        </Attribute>
<nop>

Added:

>
>

This time when you go back to the JSP demo URL (after closing all the browser windows), your access level should be silver.

For gold service, add the following attribute to your arp.site.xml

        <Attribute name="urn:mace:dir:attribute-def:sn">
            <AnyValue release="permit"/>
        </Attribute>

Added:

>
>

Releasing Attributes for Specific Service Provider

Changed:

<
<

Attributes SmartScope^?

>
>

Assume your SP hostname is "sp.mams.org.au". You can restrict the release of each attribute to a specific service provider, identified by their hostname.

The example below restrict the release of all the above attributes to SP whose providerID value is "urn:au:testfed:level-1:sp-error.mams.org.au":

     <Target>
        <Requester matchFunction="urn:mace:shibboleth:arp:matchFunction:exactShar">urn:au:testfed:level-1:sp-error.mams.org.au</Requester>
     </Target>

If you now try to access the JSP application, you will see that no attributes are released.

If you change the target value back to "urn:au:testfed:level-1:sp.mams.org.au", all attributes will be released because the target will now match:

     <Target>
        <Requester matchFunction="urn:mace:shibboleth:arp:matchFunction:exactShar">urn:au:testfed:level-1:sp.mams.org.au</Requester>
     </Target>

<<O>> Difference Topic ARP (r1.2 - 19 Feb 2006 - ChiNguyen)

  META TOPICPARENT  WebHome
-<
<
+   Attribute Release Policy (ARP)
->
>
+   Attribute Release Policy (ARP)
-<
<
+  Purpose
->
>
+In Shibboleth, all releases of attributes that are "resolvable" by the resolver 
are determined by the use of Attributes Release Policies (ARPs).
-<
<
+  Components of ARP
->
>
+A full and comprehensive description of 
ARP configuration is provided by the Shibboleth community.
It is reccommended that institutions interested in becoming an IdP should study the Shibboleth installation guide on ARP carefully.
->
>
+Some key points to note:
-<
<
+  Example
->
>
+ There is a site wide ARP file called arp.site.xml. There are also ARP that apply 
     to specific individuals, identified by arp.$NAME.xml, where $NAME is the principal
     value of the individual. At run-time after a user has logged in, the AttributeAuthority^?
     uses the user's principal to find the user's specific ARP (if any) and combine it with 
     the site-wide ARP to have what is known as the "effective" ARP. All attributes to be 
     released are evaluated against this "effective ARP".

 Currently, ARP files can only be stored on the filesystem. However, their modification  
     does not require a restart of the IdP; rather the new ARPs are applied immediately.
->
>
+To best understand how to setup the ARP in practice, we will go through setting the ARP for the following:

 How to setup ARPs for differen service levels of an application?

 How to setup the release of attributes for a specific Service Provider

 How to use "smartscope"?
-<
<
+-- BrucLiong - 16 Feb 2006
->
>
+   Prerequsites: 


 You have installed on an IdP following the instructions here.

 You have installed a Shibboleth Service Provider following the instructions here.
     This is the machine where we will deploy our JSP application.

 Java 1.5.x with JAVA_HOME environment set up to point to this location.

 You have deploy the demo JSP application according to this guide. 
     This JSP application reflects attributes and values passed via Shibboleth, and has three service levels:
       * Bronze service requires release of “eduPersonAffiliation” attribute only.
       * Silver service requires release of “eduPersonAffiliation” and “eduPersonNickname” attributes.
       * Gold service requires release of “eduPersonAffiliation”, “eduPersonNickname” and “sn” attributes.





  Releasing Attributes for Different Service Levels 

 For bronze service, use the following content for your arp.site.xml



    <?xml version="1.0" encoding="UTF-8"?>
    <AttributeReleasePolicy xmlns="urn:mace:shibboleth:arp:1.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd">
    <Rule>
        <Description/>
        <Target>
           <AnyTarget/>
        </Target>
        <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation">
            <AnyValue release="permit"/>
        </Attribute>

   </Rule>
   </AttributeReleasePolicy>


  Releasing Attributes for Specific Service Provider 

  Attributes SmartScope^? 



-- ChiNguyen - 19 Feb 2006

<<O>> Difference Topic ARP (r1.1 - 16 Feb 2006 - BrucLiong)

Line: 1 to 1

Added:

>
>

META TOPICPARENT	WebHome