Attributfreigabe für Code-of-Conduct SPs

Basiert auf der DSGVO. Weitere Infos unter Entity Categories und https://refeds.org/category/code-of-conduct/v2.

IdPs, die u.g. Filter Policy implementiert haben, sollten in der Metadatenverwaltung den entsprechenden Entity Category Support setzen!

NB: Der Bedarf bezüglich einer pairwise-id oder subject-id muss SP-seitig über ein entsprechendes Entity Attribut signalisiert werden, siehe hierzu auch diese Beispiele.

Hier ein Beispiel für die Freigabe der subject-id/pairwise-id (sofern angefordert) für SPs, die dem CoCo v.2 folgen:

./conf/attribute-filter.xml
    <AttributeFilterPolicy id="releaseSubjectId2coco">
        <PolicyRequirementRule xsi:type="AND"> 
             <Rule xsi:type="EntityAttributeExactMatch"
                   attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
                   attributeValue="subject-id" />
             <Rule xsi:type="EntityAttributeExactMatch"
                   attributeName="http://macedir.org/entity-category"
                   attributeValue="https://refeds.org/category/code-of-conduct/v2" />
        </PolicyRequirementRule>
        <AttributeRule attributeID="samlSubjectID" permitAny="true"/>
    </AttributeFilterPolicy>  
 
    <AttributeFilterPolicy id="releasePairwiseId2coco">
        <PolicyRequirementRule xsi:type="AND"> 
             <Rule xsi:type="OR">
                <Rule xsi:type="EntityAttributeExactMatch"
                      attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
                      attributeValue="pairwise-id" />
                <Rule xsi:type="EntityAttributeExactMatch"
                      attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
                      attributeValue="any" />
             </Rule>
             <Rule xsi:type="EntityAttributeExactMatch"
                   attributeName="http://macedir.org/entity-category"
                   attributeValue="https://refeds.org/category/code-of-conduct/v2" />
        </PolicyRequirementRule>
        <AttributeRule attributeID="samlPairwiseID" permitAny="true"/>
    </AttributeFilterPolicy>  

Ausführliches Beispiel für eine Attribute Filter Policy, die für die allermeisten Anwendungsfälle passen sollte:

/opt/shibboleth-idp/conf/attribute-filter.xml
    <AttributeFilterPolicy id="releaseToCoCo2">
 
       <PolicyRequirementRule 
               xsi:type="EntityAttributeExactMatch"
               attributeName="http://macedir.org/entity-category"
               attributeValue="https://refeds.org/category/code-of-conduct/v2" />
 
       <AttributeRule attributeID="displayName">
          <PermitValueRule xsi:type="AttributeInMetadata"/>
       </AttributeRule>
 
       <AttributeRule attributeID="eduPersonScopedAffiliation">
          <PermitValueRule xsi:type="AttributeInMetadata"/>
       </AttributeRule>
 
       <AttributeRule attributeID="eduPersonAffiliation">
          <PermitValueRule xsi:type="AttributeInMetadata"/>
       </AttributeRule>
 
       <AttributeRule attributeID="mail">
          <PermitValueRule xsi:type="AttributeInMetadata"/>
       </AttributeRule>
 
       <AttributeRule attributeID="cn">
         <PermitValueRule xsi:type="AttributeInMetadata"/>
       </AttributeRule>
 
       <AttributeRule attributeID="givenName">
         <PermitValueRule xsi:type="AttributeInMetadata"/>
       </AttributeRule>
 
       <AttributeRule attributeID="sn">
          <PermitValueRule xsi:type="AttributeInMetadata"/>
       </AttributeRule>
 
       <AttributeRule attributeID="eduPersonPrincipalName">
          <PermitValueRule xsi:type="AttributeInMetadata"/>
       </AttributeRule>
 
       <AttributeRule attributeID="schacHomeOrganization">
         <PermitValueRule xsi:type="AttributeInMetadata"/>
       </AttributeRule>
 
       <AttributeRule attributeID="schacHomeOrganizationType">
          <PermitValueRule xsi:type="AttributeInMetadata"/>
       </AttributeRule>
 
       <AttributeRule attributeID="o">
          <PermitValueRule xsi:type="AttributeInMetadata"/>
       </AttributeRule>
 
</AttributeFilterPolicy>


Ausführliches Beispiel, das alle Eventualitäten abdecken sollte:

/opt/shibboleth-idp/conf/attribute-filter.xml
    <AttributeFilterPolicy id="releaseToCoCo">
 
       <PolicyRequirementRule 
               xsi:type="EntityAttributeExactMatch"
               attributeName="http://macedir.org/entity-category"
               attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" />
 
       <!--onlyIfRequired="true" kann hier weggelassen werden, da ab IdPv3.2 Default--> 
 
       <AttributeRule attributeID="displayName">
          <PermitValueRule xsi:type="AttributeInMetadata"/>
       </AttributeRule>
 
       <AttributeRule attributeID="eduPersonScopedAffiliation">
          <PermitValueRule xsi:type="AttributeInMetadata"/>
       </AttributeRule>
 
       <AttributeRule attributeID="eduPersonAffiliation">
          <PermitValueRule xsi:type="AttributeInMetadata"/>
       </AttributeRule>
 
       <AttributeRule attributeID="mail">
          <PermitValueRule xsi:type="AttributeInMetadata"/>
       </AttributeRule>
 
       <AttributeRule attributeID="cn">
         <PermitValueRule xsi:type="AttributeInMetadata"/>
       </AttributeRule>
 
       <AttributeRule attributeID="givenName">
         <PermitValueRule xsi:type="AttributeInMetadata"/>
       </AttributeRule>
 
       <AttributeRule attributeID="sn">
          <PermitValueRule xsi:type="AttributeInMetadata"/>
       </AttributeRule>
 
       <AttributeRule attributeID="eduPersonPrincipalName">
          <PermitValueRule xsi:type="AttributeInMetadata"/>
       </AttributeRule>
 
       <AttributeRule attributeID="schacHomeOrganization">
         <PermitValueRule xsi:type="AttributeInMetadata"/>
       </AttributeRule>
 
       <AttributeRule attributeID="schacHomeOrganizationType">
          <PermitValueRule xsi:type="AttributeInMetadata"/>
       </AttributeRule>
 
       <AttributeRule attributeID="eduPersonTargetedID">
          <PermitValueRule xsi:type="AttributeInMetadata"/>
       </AttributeRule>
 
       <AttributeRule attributeID="o">
          <PermitValueRule xsi:type="AttributeInMetadata"/>
       </AttributeRule>
 
</AttributeFilterPolicy>
  • Zuletzt geändert: vor 7 Monaten