Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph
description
Transcript of Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph
![Page 1: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/1.jpg)
04/22/2304/22/23META ACCESS MANAGEMENT SYSTEM
11
ShibbolethShibbolethAttribute Release PolicyAttribute Release Policy
Editing ToolsEditing Tools
ShARPE and AutographShARPE and AutographI2MM April 2006I2MM April 2006
Neil WitheridgeNeil WitheridgeMAMS Project ManagerMAMS Project [email protected]@melcoe.mq.edu.au
http://federation.org.au/http://federation.org.au/
![Page 2: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/2.jpg)
04/22/2304/22/23 22META ACCESS MANAGEMENT SYSTEM
Problem StatementProblem StatementARP Administration (ShARPE)ARP Administration (ShARPE)
ARP administrators need a ‘zero effort’ ARP administrators need a ‘zero effort’ approach to implementing an access approach to implementing an access agreement with a SP – setting up site and agreement with a SP – setting up site and group ARPs to supply required attributes.group ARPs to supply required attributes.
User Privacy Control (Autograph)User Privacy Control (Autograph)There is a ‘real world’ requirement for privacy There is a ‘real world’ requirement for privacy
management, for end-user control of release management, for end-user control of release of privacy sensitive attributes.of privacy sensitive attributes.
A ‘zero-effort’ GUI interface is required.A ‘zero-effort’ GUI interface is required.
![Page 3: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/3.jpg)
04/22/2304/22/23 33META ACCESS MANAGEMENT SYSTEM
Evaluation ReleaseEvaluation Release
ShARPE and Autograph (version 0.7) ShARPE and Autograph (version 0.7) released for evaluation purposesreleased for evaluation purposes
Elicitation of ‘real world’ requirementsElicitation of ‘real world’ requirementsAs Shibboleth stakeholders, IdP and SP As Shibboleth stakeholders, IdP and SP
administrators and users, do these tools administrators and users, do these tools satisfy your requirements for ARP satisfy your requirements for ARP management?management?
Feedback requested on usefulness and Feedback requested on usefulness and usability.usability.
![Page 4: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/4.jpg)
04/22/2304/22/23 44META ACCESS MANAGEMENT SYSTEM
Shibboleth Attribute Release PolicyShibboleth Attribute Release PolicyShibboleth provides for privacy control Shibboleth provides for privacy control
through Attribute Release Policies (ARPs)through Attribute Release Policies (ARPs)Rules specifying which attributes may be Rules specifying which attributes may be
released to a SP for IdP members in general, released to a SP for IdP members in general, or for specific individualsor for specific individuals
After user authentication & opaque handle delivery to SPAfter user authentication & opaque handle delivery to SPProtectedService
SPIdP
Attribute Authority Attribute ConsumerService
ARPs AAPUserAttributes
(1) SAMLAttribute
Request + handle
(2) SAMLAttribute
Response
![Page 5: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/5.jpg)
04/22/2304/22/23 55META ACCESS MANAGEMENT SYSTEM
Info Available To Protected AppInfo Available To Protected App Via HTTP headerVia HTTP header
(standard header parameters)(standard header parameters)
hosthost = demo.federation.org.au = demo.federation.org.auuser-agentuser-agent = Mozilla/5.0; = Mozilla/5.0; acceptaccept = …; = …; accept-encodingaccept-encoding = …; = …; accept-charsetaccept-charset = = Keep-AliveKeep-Alive = 300 ; = 300 ; connectionconnection = keep-alive = keep-aliverefererreferer = https://openidp.mams.org.au/shibboleth-idp/SSO ... = https://openidp.mams.org.au/shibboleth-idp/SSO ... cookiecookie = … = …
(Shibboleth specific parameters)(Shibboleth specific parameters)
Shib-Identity-ProviderShib-Identity-Provider = = urn:mace:federation.org.au:testfed:level-1:openidp.mams.org.au urn:mace:federation.org.au:testfed:level-1:openidp.mams.org.au
Shib-Authentication-MethodShib-Authentication-Method = urn:oasis:names:tc:SAML:1.0:am:unspecified = urn:oasis:names:tc:SAML:1.0:am:unspecified
(User Attributes)(User Attributes)
Shib-EP-UnscopedAffiliationShib-EP-UnscopedAffiliation = Staff;Physics = Staff;Physics
Shib-Person-nicknameShib-Person-nickname = Sue= Sue
![Page 6: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/6.jpg)
04/22/2304/22/23 66META ACCESS MANAGEMENT SYSTEM
Attributes – IdP contextAttributes – IdP contextKey:Value pairs Key:Value pairs
e.g. eduPersonAffiliation:Physicse.g. eduPersonAffiliation:PhysicsUser information stored within institutional User information stored within institutional
directory e.g. LDAPdirectory e.g. LDAPDirectory schema determines available Directory schema determines available
keys (attribute names)keys (attribute names)Standardised schema Standardised schema
e.g. person, organizationalPerson, inetOrgPerson, eduPerson…e.g. person, organizationalPerson, inetOrgPerson, eduPerson…
Custom schema - institution specific dataCustom schema - institution specific dataCustom schema for elements that don't have a clear mapping to standard Custom schema for elements that don't have a clear mapping to standard schemasschemas
![Page 7: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/7.jpg)
04/22/2304/22/23 77META ACCESS MANAGEMENT SYSTEM
Attributes – SP contextAttributes – SP context Received user attributes (in SAML assertion Received user attributes (in SAML assertion
from IdP) are basis of access controlfrom IdP) are basis of access control Service or service feature accessibilityService or service feature accessibility Service Levels – not necessarily hierarchicalService Levels – not necessarily hierarchical
Potential for complex attribute-based access Potential for complex attribute-based access controlcontrol university, campus, role, discipline, course, year, university, campus, role, discipline, course, year,
group…group… SP Attribute requirements must conform to SP Attribute requirements must conform to
standard schema or be mappable from IdP standard schema or be mappable from IdP attribute schemaattribute schema
![Page 8: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/8.jpg)
04/22/2304/22/23 88META ACCESS MANAGEMENT SYSTEM
Current Shib FederationsCurrent Shib FederationsCurrent generation of Shib FederationsCurrent generation of Shib Federations
11stst generation ? generation ?Simple approach to access control, attributes Simple approach to access control, attributes
& attribute management& attribute managementHow will SPs use attributes as Federated How will SPs use attributes as Federated
IAM evolves ?IAM evolves ?Greater use of user attributes for service Greater use of user attributes for service
differentiationdifferentiation Increasing service complexity (service Increasing service complexity (service
features) and demand for user attributesfeatures) and demand for user attributes
![Page 9: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/9.jpg)
04/22/2304/22/23 99META ACCESS MANAGEMENT SYSTEM
Emerging Federated ServicesEmerging Federated Services Institutional Repositories and CMSsInstitutional Repositories and CMSs
More fine-grained protection of resources More fine-grained protection of resources based on user attributes based on user attributes
Virtual Organisations & GRID ServicesVirtual Organisations & GRID Services Inter-organisational, national ->international Inter-organisational, national ->international
collaborationcollaborationVirtual Librarian Virtual Librarian (MAMS service development)(MAMS service development)
Example MAMS Shibbolised ServiceExample MAMS Shibbolised ServiceNeeds relatively rich set of attributesNeeds relatively rich set of attributes
![Page 10: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/10.jpg)
04/22/2304/22/23 1010META ACCESS MANAGEMENT SYSTEM
Current ARP ManagementCurrent ARP ManagementSP attribute requirements agreed SP attribute requirements agreed
negotiated manually (not scalable)negotiated manually (not scalable)Site and User ARPs, no Group ARPsSite and User ARPs, no Group ARPsLack of service information for users (what Lack of service information for users (what
attributes are required, released, for what attributes are required, released, for what reason) reason)
Lack of interface for user ARP controlLack of interface for user ARP controlUser can’t access ARP filesUser can’t access ARP files
![Page 11: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/11.jpg)
04/22/2304/22/23 1111META ACCESS MANAGEMENT SYSTEM
Shibboleth ARP Editing ToolsShibboleth ARP Editing ToolsProvide a GUI-based editor to enable Provide a GUI-based editor to enable
ARP admins to implement access contracts ARP admins to implement access contracts Users to manage their ARPsUsers to manage their ARPs
Provide visibility to user of:Provide visibility to user of:attributes required by servicesattributes required by servicesattributes released to servicesattributes released to servicesService received in return for attributesService received in return for attributes
Enable users to change their ARPs hence Enable users to change their ARPs hence exercise privacy controlexercise privacy control
![Page 12: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/12.jpg)
04/22/2304/22/23 1212META ACCESS MANAGEMENT SYSTEM
New featuresNew features(In order to provide comprehensive GUI for (In order to provide comprehensive GUI for
creation of ARPs)creation of ARPs)Group ARPsGroup ARPs
Current Shibboleth supports site and user ARPsCurrent Shibboleth supports site and user ARPsService DescriptionsService Descriptions
Comprehensive information about SP’s service, Comprehensive information about SP’s service, service levels, attribute requirementsservice levels, attribute requirements
Attribute MappingAttribute Mapping Support for mapping between IdP and SP Support for mapping between IdP and SP
schemasschemas
![Page 13: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/13.jpg)
04/22/2304/22/23 1313META ACCESS MANAGEMENT SYSTEM
ShARPE – ARP AdministratorShARPE – ARP Administrator ARP AdminARP Admin
Import Service Description (Physics research Import Service Description (Physics research database from Sandstone Uni)database from Sandstone Uni)
Create site ARP (all communities get bronze Create site ARP (all communities get bronze access)access)
Create group ARP (Physics community gets gold Create group ARP (Physics community gets gold access)access)
![Page 14: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/14.jpg)
04/22/2304/22/23 1414META ACCESS MANAGEMENT SYSTEM
![Page 15: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/15.jpg)
04/22/2304/22/23 1515META ACCESS MANAGEMENT SYSTEM
SandstoneUniServiceDescription.xml
![Page 16: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/16.jpg)
04/22/2304/22/23 1616META ACCESS MANAGEMENT SYSTEM
arp.site.xml
![Page 17: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/17.jpg)
04/22/2304/22/23 1717META ACCESS MANAGEMENT SYSTEM
![Page 18: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/18.jpg)
04/22/2304/22/23 1818META ACCESS MANAGEMENT SYSTEM
arp.group.Physics.xml
![Page 19: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/19.jpg)
04/22/2304/22/23 1919META ACCESS MANAGEMENT SYSTEM
Autograph – IdP MemberAutograph – IdP Member IdP member:IdP member:
Susannah Halmay, Physics staff memberSusannah Halmay, Physics staff member
View attributes releasedView attributes released
Deny release of attributes required for Gold Deny release of attributes required for Gold accessaccess
![Page 20: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/20.jpg)
04/22/2304/22/23 2020META ACCESS MANAGEMENT SYSTEM
![Page 21: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/21.jpg)
04/22/2304/22/23 2121META ACCESS MANAGEMENT SYSTEM
![Page 22: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/22.jpg)
04/22/2304/22/23 2222META ACCESS MANAGEMENT SYSTEM
arp.user.sue.xml
![Page 23: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/23.jpg)
04/22/2304/22/23 2323META ACCESS MANAGEMENT SYSTEM
Group ARPsGroup ARPsHow will contracts be established between How will contracts be established between
an IdP and SPs ?an IdP and SPs ?Groups within institutions (IdPs) create Groups within institutions (IdPs) create
agreements, maybe requiring subscription agreements, maybe requiring subscription involving formal T&Cs and/or paymentinvolving formal T&Cs and/or payment
Attribute release policy defined for the Attribute release policy defined for the groupgroupAppropriate static values (contract number)Appropriate static values (contract number)Members attribute release policy by virtue of Members attribute release policy by virtue of
group membershipgroup membership
![Page 24: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/24.jpg)
04/22/2304/22/23 2424META ACCESS MANAGEMENT SYSTEM
Group Information sourcesGroup Information sourcesList of Groups & IdP member group List of Groups & IdP member group
membership informationmembership information Institutional DirectoryInstitutional DirectoryFlat filesFlat files
Responsibility for Group ARP Responsibility for Group ARP Administration ?Administration ?
Future: Grouper & SignetFuture: Grouper & Signet
![Page 25: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/25.jpg)
04/22/2304/22/23 2525META ACCESS MANAGEMENT SYSTEM
Service DescriptionsService Descriptions SP’s Service and Service Level descriptions and SP’s Service and Service Level descriptions and
attribute requirementsattribute requirements Services may provide service-levels - different Services may provide service-levels - different
functionality - based on supplied attributesfunctionality - based on supplied attributes e.g. for a institutional repository or publisher: read e.g. for a institutional repository or publisher: read
access, adding comments/rank/annotations, submit access, adding comments/rank/annotations, submit access… access…
Comprehensive Service Provider information Comprehensive Service Provider information needed by both admins and users for ‘sensible’ needed by both admins and users for ‘sensible’ attribute managementattribute management
ShARPE introduces ‘Service Description’ ShARPE introduces ‘Service Description’ metadata to support ‘fully informative’ GUImetadata to support ‘fully informative’ GUI
![Page 26: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/26.jpg)
04/22/2304/22/23 2626META ACCESS MANAGEMENT SYSTEM
Service Description EditorService Description Editor
![Page 27: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/27.jpg)
04/22/2304/22/23 2727META ACCESS MANAGEMENT SYSTEM
Service Description EditorService Description Editor
![Page 28: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/28.jpg)
04/22/2304/22/23 2828META ACCESS MANAGEMENT SYSTEM
Attribute MappingAttribute Mapping Requirement to map between IdP and SP Requirement to map between IdP and SP
schemas schemas (standard/custom to standard/custom...)(standard/custom to standard/custom...) Attribute mapping functionsAttribute mapping functions
One-to-One MappingOne-to-One Mapping ConcatenationConcatenation Static Value assignmentStatic Value assignment Hashing (e.g. TargetedID)Hashing (e.g. TargetedID)
Examples:Examples: Simple: ‘email’ to ‘mail’, or ‘gender’ to ‘sex’Simple: ‘email’ to ‘mail’, or ‘gender’ to ‘sex’ Complex: creating targetedIDComplex: creating targetedID
(e.g. hash(concat(SPname, email))) (e.g. hash(concat(SPname, email)))
![Page 29: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/29.jpg)
04/22/2304/22/23 2929META ACCESS MANAGEMENT SYSTEM
Attribute Mapping GUIAttribute Mapping GUI
![Page 30: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/30.jpg)
04/22/2304/22/23 3030META ACCESS MANAGEMENT SYSTEM
Evaluating ShARPE & AutographEvaluating ShARPE & AutographView Flash DemonstrationsView Flash Demonstrations
viavia http://www.federation.org.au/twiki/bin/view/Federation/ShARPE
Experiment with Autograph using a pre-Experiment with Autograph using a pre-configured ‘openIdP’configured ‘openIdP’ http://opensharpe.mams.org.au
Install your own evaluation IdP including Install your own evaluation IdP including ShARPE and AutographShARPE and Autograph
NMI Edit software release 9NMI Edit software release 9 http://www.federation.org.au/software/Autograph_ShARPE-0.7.zip
MAMS’ Easy Installation IdP with ShARPEMAMS’ Easy Installation IdP with ShARPE http://www.federation.org.au/software/installcd/
![Page 31: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/31.jpg)
04/22/2304/22/23 3131META ACCESS MANAGEMENT SYSTEM
Evaluating ShARPE & Autograph Evaluating ShARPE & Autograph (cont’d)(cont’d)
Install on top of existing IdPInstall on top of existing IdPhttp://www.federation.org.au/software/Autograph_ShARPE-0.7.zip
Qualifications: Qualifications: Attribute Mapping is optional functionality (can be Attribute Mapping is optional functionality (can be disabled at installation). Attribute mapping is relatively disabled at installation). Attribute mapping is relatively complex and changes resolver file, not intended to be complex and changes resolver file, not intended to be deployed on production systems. deployed on production systems. ShARPE and Autograph without attribute mapping ShARPE and Autograph without attribute mapping only writes to ARPs.only writes to ARPs.
![Page 32: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/32.jpg)
04/22/2304/22/23 3232META ACCESS MANAGEMENT SYSTEM
Thank you
Questions ?
![Page 33: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/33.jpg)
04/22/2304/22/23 3333META ACCESS MANAGEMENT SYSTEM
Shibboleth ArchitectureShibboleth Architecture Shibboleth Federation componentsShibboleth Federation components
ServiceProvider
Provide Services accessiblevia the web
Want to focus on core business& avoid risks of managing
users’ confidential info.
WAYF
Belongs to an organisation whichmanages her identity
User
Privacy concerns
IdentityProvider
Secure identity management is a
core business requirement
![Page 34: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/34.jpg)
04/22/2304/22/23 3434META ACCESS MANAGEMENT SYSTEM
Background: ShibbolethBackground: ShibbolethStandards based (SAML)Standards based (SAML)Open source middlewareOpen source middlewareProvides Web Single Sign-On (SSO) Provides Web Single Sign-On (SSO)
across or within institutional boundariesacross or within institutional boundariesSSO using session cookiesSSO using session cookies
Provides secure transfer of user attributes Provides secure transfer of user attributes between user’s Identity Provider (IdP) and between user’s Identity Provider (IdP) and Service Providers (SPs)Service Providers (SPs)
![Page 35: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/35.jpg)
04/22/2304/22/23 3535META ACCESS MANAGEMENT SYSTEM
Group Information sourcesGroup Information sources <ReleasePolicyEngine> <ArpRepository implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.provider.MAMSFileSystemArpRepository"> <Path>file:/usr/local/shibboleth-idp/etc/arps/</Path> <GroupLookup implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.group.provider.AttributeResolverGroupLookup"> <ResolverConfig implementation= "edu.internet2.middleware.shibboleth.aa.attrresolv.MAMSAttributeResolver"> file:///usr/local/shibboleth-idp/etc/resolver.ldap.xml </ResolverConfig> <UserGroup>urn:mace:dir:attribute-def:eduPersonAffiliation</UserGroup> </GroupLookup> <GroupLookup implementation= "au.edu.mq.melcoe.mams.sharpe.shib.aa.arp.group.provider.PropertyFileGroupLookup“ separator="%PRINCIPAL%."> <PropertyFile>file:///usr/local/shibboleth-idp/etc/sample.grouplookup.properties</PropertyFile> <GroupListing>institutionalGroupList</GroupListing> <GroupListing>groupList</GroupListing> </GroupLookup> </ArpRepository> </ReleasePolicyEngine>
![Page 36: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/36.jpg)
04/22/2304/22/23 3636META ACCESS MANAGEMENT SYSTEM
Group Information sourcesGroup Information sources Example of group names in flat fileExample of group names in flat file
debian> cd /usr/local/shibboleth-idp/etcdebian > cat sample.grouplookup.properties
#Sample group lookup using PropertyFileGroupLookup
#this defines institutional-wide groupsinstitutionalGroupList=Administrator, Staff, Researcher
#an example of local groupsgroupList=Library, Physics, Biology, Walk-in
#user based attributes specifying the groups#ann.eduPersonAffiliation=Researcher#staff.eduPersonAffiliation=Staff#librarian.eduPersonAffiliation=HeadOfSchool, Staff, Librarian>
debian >
![Page 37: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/37.jpg)
04/22/2304/22/23 3737META ACCESS MANAGEMENT SYSTEM
Service Description SchemaService Description SchemaThe SD XML schema includes the The SD XML schema includes the
following @attributes and elements:following @attributes and elements:Service ProviderService Provider identifier, name, location, identifier, name, location,
description, service-independent attributesdescription, service-independent attributesServiceService @identifier, name, description, @identifier, name, description,
location, reference, service-specific level-location, reference, service-specific level-independent attributesindependent attributes
Service LevelService Level @identifier, name, description, @identifier, name, description, reference, level-specific attributesreference, level-specific attributes
![Page 38: Shibboleth Attribute Release Policy Editing Tools ShARPE and Autograph](https://reader036.fdocuments.in/reader036/viewer/2022062520/56815e31550346895dcc8e5f/html5/thumbnails/38.jpg)
04/22/2304/22/23 3838META ACCESS MANAGEMENT SYSTEM
Service Description ExampleService Description Example<ServiceProvider …><ServiceProvider …> <ServiceProviderIdentifier>urn:mace:federation.org.au:testfed:level-1:federation.org.au</<ServiceProviderIdentifier>urn:mace:federation.org.au:testfed:level-1:federation.org.au</
ServiceProviderIdentifier>ServiceProviderIdentifier> <ServiceProviderName xml:lang="en">Sandstone University</ServiceProviderName><ServiceProviderName xml:lang="en">Sandstone University</ServiceProviderName> <ServiceProviderLocation xml:lang="en">https://demo.federation.org.au</ServiceProviderLocation><ServiceProviderLocation xml:lang="en">https://demo.federation.org.au</ServiceProviderLocation> <ServiceProviderDescription xml:lang="en">Online Services for Physics <ServiceProviderDescription xml:lang="en">Online Services for Physics
Researchers</ServiceProviderDescription>Researchers</ServiceProviderDescription> <Service identifier=“sandstoneuni:physicsdatabase"><Service identifier=“sandstoneuni:physicsdatabase"> <ServiceName xml:lang="en">Laser and Optical Physics Database</ServiceName><ServiceName xml:lang="en">Laser and Optical Physics Database</ServiceName> <ServiceDescription xml:lang="en">Data Generated by Physics Researchers</ServiceDescription><ServiceDescription xml:lang="en">Data Generated by Physics Researchers</ServiceDescription> <ServiceLocation xml:lang="en">https://demo.federation.org.au/SharpeJSPDemo/demo.jsp</<ServiceLocation xml:lang="en">https://demo.federation.org.au/SharpeJSPDemo/demo.jsp</
ServiceLocation>ServiceLocation> <ServiceLevel identifier="gold"><ServiceLevel identifier="gold"> <ServiceLevelName xml:lang="en">Gold Access</ServiceLevelName><ServiceLevelName xml:lang="en">Gold Access</ServiceLevelName> <ServiceLevelDescription xml:lang="en">Search, View, Query, Comment on <ServiceLevelDescription xml:lang="en">Search, View, Query, Comment on
Data</ServiceLevelDescription>Data</ServiceLevelDescription> <md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonAffiliation" FriendlyName="your <md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonAffiliation" FriendlyName="your
affiliation" isRequired="true"/>affiliation" isRequired="true"/> <md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonNickname" FriendlyName="your <md:RequestedAttribute Name="urn:mace:dir:attribute-def:eduPersonNickname" FriendlyName="your
nickname" isRequired="true"/>nickname" isRequired="true"/> <md:RequestedAttribute Name="urn:mace:dir:attribute-def:sn" FriendlyName="surname" <md:RequestedAttribute Name="urn:mace:dir:attribute-def:sn" FriendlyName="surname"
isRequired="true"/>isRequired="true"/> </ServiceLevel></ServiceLevel> <ServiceLevel identifier="silver">…</ServiceLevel><ServiceLevel identifier="silver">…</ServiceLevel> <ServiceLevel identifier="bronze">…</ServiceLevel><ServiceLevel identifier="bronze">…</ServiceLevel> </Service></Service></ServiceProvider></ServiceProvider>