Thu, Feb 17, 2005


This file is your Attribute Acceptance Policy engine. It’s here that you tell shibboleth what to do with incoming attributes from an AA. The eduPerson attributes are already set up for you, so we’ll look at the one I use to map the Novell NDS attribute groupMembership to specific acceptance criteria and also how to let scripting languages get at the attribute.

Here’s the SAML coming from the AA. I’ve left out the namespace declarations and wrapping SOAP and SAML elements for clarity:

<AttributeStatement>   <Subject>     <NameIdentifier Format=“urn:mace:shibboleth:1.0:nameIdentifier” NameQualifier=“idp.org.ac.uk”<5387459</NameIdentifier>   </Subject>   <Attribute AttributeName=“urn:org:uk:attribute-def:groupMembership” AttributeNamespace=“urn:mace:shibboleth:1.0:attributeNamespace:uri”>     <AttributeValue>cn=admins,ou=company,o=org</AttributeValue>     <AttributeValue>cn=testers,ou=company,o=org</AttributeValue>   </Attribute> </AttributeStatement>

The above Attribute/AttributeValue pairs show that the user identified as “5387459” is a member of the “admins” and “testers” groups at their organisation.

It’s recommended that you use “urn:mace:shibboleth:1.0:attributeNamespace:uri” for the “AttributeNamespace” of your attributes and choose an appropriate URN for the attribute itself. As you can see, our attribute is scoped to “urn:org:uk”.

So, shibb has redirected to the IdP, the user has been authenticated and the attributes have arrived at the SP. What next? How do you actually use the attributes? The steps are quite simple:

<AttributeRule Name=“urn:uhi:ac:uk:attribute-def:givenName” Header=“Organisation-First-Name” Alias=“firstname”>   <AnySite>     <AnyValue />   </AnySite> </AttributeRule>

The above AttributeRule states the following:

comments powered by Disqus