Skip to topic | Skip to bottom
Home
Federation
Hello TWikiGuest

Create personal sidebar
Federation.ARPr1.9 - 17 Feb 2008 - 06:07 - BrucLiongtopic end
Start of topic | Skip to actions

Attribute Release Policy (ARP)

On the Shibboleth IdP side, all releases of attributes that are "resolvable" by the resolver are determined by the use of Attributes Release Policies (ARPs).

A full and comprehensive description of ARP configuration is provided by the Shibboleth community. It is reccommended that institutions interested in becoming an IdP should study the Shibboleth installation guide on ARP carefully.

Some key points to note:

  • There is a site wide ARP file called arp.site.xml. There are also ARP that apply to specific individuals, identified by arp.$NAME.xml, where $NAME is the principal value of the individual. At run-time after a user has logged in, the AttributeAuthority? uses the user's principal to find the user's specific ARP (if any) and combine it with the site-wide ARP to have what is known as the "effective" ARP. All attributes to be released are evaluated against this "effective ARP".
  • Currently, ARP files can only be stored on the filesystem. However, their modification does not require a restart of the IdP; rather the new ARPs are applied immediately.

To best understand how to setup the ARP in practice, we will go through setting the ARP for the following:

  • How to setup ARPs for differen service levels of an application?
  • How to setup the release of attributes for a specific Service Provider?

Prerequisites:

  • You have installed on an IdP following the instructions here. We will be editing the site arp file, arp.site.xml, residing in /usr/local/shibboleth-idp/arps directory.
  • You have installed a Shibboleth Service Provider following the instructions here.
  • You have deploy the demo JSP application according to this guide. This JSP application reflects attributes passed via Shibboleth, and has three service levels:
    • Bronze service requires release of “eduPersonAffiliation” attribute only.
    • Silver service requires release of “eduPersonAffiliation” and “eduPersonNickname” attributes.
    • Gold service requires release of “eduPersonAffiliation”, “eduPersonNickname” and “sn” attributes.

Releasing Attributes for Different Service Levels

  • With no release of attributes, point your browser at your JSP demo page, ie http://SP_HOST/jsp-examples/demo.jsp. At the WAYF, select your IdP and after login in, you will see that your access level in none.

  • For bronze service, use the following content for your arp.site.xml 

    <?xml version="1.0" encoding="UTF-8"?>
    <AttributeReleasePolicy xmlns="urn:mace:shibboleth:arp:1.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd">
    <Rule>
        <Description/>
        <Target>
           <AnyTarget/>
        </Target>
        <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation">
            <AnyValue release="permit"/>
        </Attribute>

    </Rule>
    </AttributeReleasePolicy>

  • Close all browser and go back to the JSP demo URL. This time you should see that your access level is brown. There should be your attribute for eduPersonAffiliation printed on the page.

  • For silver service, add the following attribute to your arp.site.xml 

        <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname">
            <AnyValue release="permit"/>
        </Attribute>

  • This time when you go back to the JSP demo URL (after closing all the browser windows), your access level should be silver.

  • For gold service, add the following attribute to your arp.site.xml 
        <Attribute name="urn:mace:dir:attribute-def:sn">
            <AnyValue release="permit"/>
        </Attribute>

Releasing Attributes for Specific Service Provider

  • Assume your SP hostname is "sp.mams.org.au". You can restrict the release of each attribute to a specific service provider, identified by their SP providerId.

  • The example below restrict the release of all the above attributes to SP whose providerID value is "urn:mace:federation.mams.local:testfed:sp-error.mams.org.au": 
     <Target>
        <Requester matchFunction="urn:mace:shibboleth:arp:matchFunction:exactShar">urn:mace:federation.mams.local:testfed:sp-error.mams.org.au</Requester>
     </Target>
  • If you now try to access the JSP application, you will see that no attributes are released.

  • If you change the target value back to "urn:mace:federation.mams.local:testfed:sp.mams.org.au", all attributes will be released because the target will now match: 
     <Target>
        <Requester matchFunction="urn:mace:shibboleth:arp:matchFunction:exactShar">urn:mace:federation.mams.local:testfed:sp.mams.org.au</Requester>
     </Target>

  • You can also manage the release of specific values by doing the following: 
        <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation">
            <Value release="permit">staff</Value>
            <Value release="deny">member</Value>
        </Attribute>


to top
End of topic
Skip to action links | Back to top

Edit | Attach image or document | Printable version | Raw text | More topic actions
Revisions: | r1.9 | > | r1.8 | > | r1.7 | Total page history | Backlinks
You are here: Federation > ARP

to top

Copyright © 1999-2008 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback