Edugate Resource Registry Suppressing a Shibboleth filter policy rule with locally defined rule

Suppressing a Shibboleth filter policy rule with locally defined rule

It is possible to define a local Shibboleth IdP attribute release policy for a specific service provider locally rather than using the policy generated by the resource registry. This is useful where an advanced policy is needed for some service providers.

In the following example, the service e5onethehub/Kivuto has special attribute requirements, the most common of which is the release of an eduPersonEntitlement value for science/technology/engineering and mathematics (STEM) students that contains a Kivuto issued institution code.

Step 1: Assign all Kivuto Codes to all students

The attribute-resolver.xml file should to be updated to assign the entitlement value to all users. Most institutions use statically defined entitlement values so adding additional values should be straightforward. The following XML is an example of what a static definition would look like for the Kivuto Codes 1455666 and 1320948


<resolver:DataConnector id="staticAttributes" xsi:type="dc:Static">
 <dc:Attribute id="eduPersonEntitlement">
  <dc:Value>urn:mace:heanet.ie:edugate:sp:onthehub:14556661</dc:Value>
  <dc:Value>urn:mace:heanet.ie:edugate:sp:onthehub:13209481</dc:Value>
 </dc:Attribute>
</resolver:DataConnector>

We will rely on the users distinguishedName when it comes to filtering the values later. The attribute definition should also be added to the attribute-resolver (if it is not already)

Step 2. Disable the Resource Registry Policy for the Service

Once the attributes have been defined the existing Resource Registry generated policy can be overridden with an exclusion rule for onthehub.com using the following procedure;

Login to the Resource Registry http://edugate.heanet.ie/rr3
Select Identity Providers > List
Select your institutions IdP from the list
Click 'Edit' at the top of the page.
Scroll down to 'ARP' and click on the Manage button (Figure 1)
Select the checkbox beside the service provider that you want to create a local policy for (onthehub) and then click save (Figure 2)
You can now create a local policy.

Figure 1.

Figure 2

Step 3: Create a locally defined attribute policy

The file attribute-filter.xml contains local policies, the following XML will filter the entitlement values based on some criteria (the students OU in this example). This XML also permit the release of distingusishedName attribute, this is required as it is a dependency of the entitlement filtering rule.

<AttributeFilterPolicy id="distinguishedName4OnTheHub">
  <PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://e5.onthehub.com" />
    <AttributeRule attributeID="distinguishedName">
     <PermitValueRule xsi:type="basic:ANY" />
    </AttributeRule>
</AttributeFilterPolicy>

<!-- 455666and13209400 onthehub webstore are available to STEM Students students -->
<AttributeFilterPolicy id="onthehub-allowing-account-code-1455666and13209400toStudentsWhoHaveComputerScienceInTheirDN" >
   <PolicyRequirementRule xsi:type="basic:AND">
     <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://e5.onthehub.com"/>
     <basic:Rule xsi:type="basic:AttributeValueRegex" attributeID="distinguishedName" regex=".*OU=ComputerScience.*$" >
   </PolicyRequirementRule>
   <AttributeRule attributeID="eduPersonEntitlement">
     <PermitValueRule xsi:type="basic:OR">
        <basic:Rule xsi:type="basic:AttributeValueString" value="urn:mace:heanet.ie:edugate:sp:onthehub:13209400" ignoreCase="true" />
        <basic:Rule xsi:type="basic:AttributeValueString" value="urn:mace:heanet.ie:edugate:sp:onthehub:14556661" ignoreCase="true" />
      </PermitValueRule>
    </AttributeRule>
</AttributeFilterPolicy>

<!-- 455666and13209400 onthehub webstore are available to STEM Students students -->
<AttributeFilterPolicy id="onthehub-allowing-account-code-1455666and13209400toStudentsWhoHaveMathematicsInTheirDN" >
   <PolicyRequirementRule xsi:type="basic:AND">
     <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://e5.onthehub.com"/>
     <basic:Rule xsi:type="basic:AttributeValueRegex" attributeID="distinguishedName" regex=".*OU=Mathematics.*$" >
   </PolicyRequirementRule>
   <AttributeRule attributeID="eduPersonEntitlement">
     <PermitValueRule xsi:type="basic:OR">
        <basic:Rule xsi:type="basic:AttributeValueString" value="urn:mace:heanet.ie:edugate:sp:onthehub:13209400" ignoreCase="true" />
        <basic:Rule xsi:type="basic:AttributeValueString" value="urn:mace:heanet.ie:edugate:sp:onthehub:14556661" ignoreCase="true" />
      </PermitValueRule>
    </AttributeRule>
</AttributeFilterPolicy>

<!-- 13209481and13209482 accounts are available to all students -->
<AttributeFilterPolicy id="onthehub-allowing-account-code-13209481and13209482toSAllStudents">
   <PolicyRequirementRule xsi:type="basic:AND">
     <basic:Rule xsi:type="basic:AttributeRequesterString"value="https://e5.onthehub.com"/>
     <basic:Rule xsi:type="basic:AttributeValueRegex" attributeID="distinguishedName" regex=".*OU=Student.*$" />
   </PolicyRequirementRule>
   <AttributeRule attributeID="eduPersonEntitlement">
     <PermitValueRule xsi:type="basic:OR">
        <basic:Rule xsi:type="basic:AttributeValueString" value="urn:mace:heanet.ie:edugate:sp:onthehub:13209481" ignoreCase="true" />
<basic:Rule xsi:type="basic:AttributeValueString" value="urn:mace:heanet.ie:edugate:sp:onthehub:13209482" ignoreCase="true" />
      </PermitValueRule>
   </AttributeRule>
</AttributeFilterPolicy>

Suppressing a Shibboleth filter policy rule with locally defined rule

Step 1: Assign all Kivuto Codes to all students

Step 2. Disable the Resource Registry Policy for the Service

Step 3: Create a locally defined attribute policy

Change language

Log in with local account