Both sides previous revision Previous revision Next revision | Previous revision |
en:entity_attributes [2021/03/04 11:04] – [Internationale Entity Categories] Silke Meyer | en:entity_attributes [2023/01/12 19:29] (current) – Wolfgang Pempe |
---|
FIXME **This page is not fully translated, yet. Please help completing the translation.**\\ //(remove this paragraph once the translation is finished)// | |
| |
====== Entity Attributes ====== | ====== Entity Attributes ====== |
| |
</callout> | </callout> |
| |
===== Degrees of Reliance of IdPs ===== | |
| |
This Entity Attribute announces the [[en:degrees_of_reliance|Degree of Reliance]] of an Identity Provider. | |
| |
<file xml dfn-aai-idp-metadata.xml> | |
<md:EntityDescriptor entityID="https://idp.scc.kit.edu/idp/shibboleth"> | |
<md:Extensions> | |
<mdrpi:RegistrationInfo registrationAuthority="https://www.aai.dfn.de" registrationInstant="2010-03-15T10:30:11Z"> | |
<mdrpi:RegistrationPolicy xml:lang="en">https://www.aai.dfn.de/en/join/</mdrpi:RegistrationPolicy> | |
<mdrpi:RegistrationPolicy xml:lang="de">https://www.aai.dfn.de/teilnahme/</mdrpi:RegistrationPolicy> | |
</mdrpi:RegistrationInfo> | |
<mdattr:EntityAttributes> | |
<!-- ... --> | |
<saml:Attribute Name="http://aai.dfn.de/loa/degree-of-reliance" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> | |
<saml:AttributeValue>advanced</saml:AttributeValue> | |
</saml:Attribute> | |
</mdattr:EntityAttributes> | |
</md:Extensions> | |
| |
</file> | |
| |
===== Sirtfi ===== | ===== Sirtfi ===== |
==== GÉANT Data Protection Code of Conduct ==== | ==== GÉANT Data Protection Code of Conduct ==== |
| |
Die Entity Category GÉANT Data Protection Code of Conduct for Service Providers in EU/EEA ist eine Selbstverpflichtungserklärung von Service Providern. Damit sagen Sie über sich aus, dass sie die über SAML2 übertragenen personenbezogenen Daten von Endnutzern entsprechend den geltenden Datenschutzrichtlinien behandeln. Hintergrundinformationen finden Sie hier im [[https://doku.tid.dfn.de/de:geant_coco|Wiki]]. | The Entity Category GÉANT Data Protection Code of Conduct for Service Providers in EU/EEA is a declaration of a common commitment by Service Providers. They commit to dealing with end users' personal data that come in via SAML 2 according to the data protection guidelines in effect. Please see our separate [[https://doku.tid.dfn.de/de:geant_coco|page]] for background information. |
| |
Die Bedingungen für das Tragen der Entity Category sind im [[https://wiki.geant.org/display/eduGAIN/Recipe+for+a+Service+Provider|GÉANT Wiki]] dokumentiert. Unsere Metadatenverwaltung prüft, ob Ihr ''mdui:PrivacyStatementURL'' auf ein Dokument verweist, das den Code of Conduct explizit referenziert. Des Weiteren müssen die Requested Attributes in den Metadaten deklariert sein. | The conditions that have to be met to use this EC are documented in the [[https://wiki.geant.org/display/eduGAIN/Recipe+for+a+Service+Provider|GÉANT Wiki]]. Our metadata administration tool checks whether you ''mdui:PrivacyStatementURL'' links to a document that explicitly references the Code of Conduct. In addition, the requested attributes must be announced in metadata. |
| |
IdPs, die für Code of Conduct-SPs pauschal eine feste Attributliste freigeben möchten, sollten [[:de:shibidp:config-attributes-coco|folgende Filterregel]] haben. | IdPs wanting to release a list of attributes globally to Code of Conduct SPs should have an according [[:de:shibidp:config-attributes-coco|filter policy]] configured. |
| |
==== Research and Scholarship ==== | ==== Research and Scholarship ==== |
| |
Die Entity Category Research and Scholarship können Service Provider setzen, deren Dienst die Zusammenarbeit oder das Management in den Bereichen Forschung und Bildung unterstützt. Die Bedingungen sind bei [[https://refeds.org/category/research-and-scholarship|REFEDS]] aufgelistet, wichtig sind für Sie vor allem die Registrierungskriterien (Punkt 4) und die Attributliste (Punkt 5). | Service Provider supporting research and scholarship interaction, collaboration or management may use the Entity Category Research and Scholarship. The conditions are listed with [[https://refeds.org/category/research-and-scholarship|REFEDS]]. For you, the most important parts are the registration criteria (item no. 4) and the list of attributes (item no. 5). |
| |
Die Attributfreigaben, die IdP-seitig erfolgen können, sind unter [[:de:shibidp:config-attributes-rands|Attributfreigaben für die REFEDS Research and Scholarship Entity Category]] dokumentiert. | The attribute filter policies for IdPs are documented [[:de:shibidp:config-attributes-rands|here in our wiki]]. |
| |
==== Hide from Discovery ==== | ==== Hide from Discovery ==== |
| We have not implemented the Entity Category [[https://refeds.org/category/hide-from-discovery|Hide from Discovery]] in our metadata administration tool. IdPs thus cannot not it. However, SPs should be configured to support the EC (e.g. because of IdPs from other federations). |
| |
Die Entity Category [[https://refeds.org/category/hide-from-discovery|Hide from Discovery]] für IdPs haben wir derzeit nicht in der Metadatenverwaltung implementiert. SPs sollten dennoch so konfiguriert sein, dass Sie die Entity Category unterstützen. | ==== Examples ==== |
| |
==== Beispiele ==== | The following example shows an extract from SP metadata with three Entity Attributes: The SP commits to CoCo compliance, it offers a service for collaboration in research (or similar), and it belongs to the group of Clarin SPs. |
| |
Hier sehen Sie den Metadatenauszug eines Services Providers mit drei Entity Attributes: Er sagt CoCo-Compliance zu, bietet einen Dienst für kollaboratives Arbeiten in der Forschung o.ä. an und gehört zur Gruppe der Clarin-SPs. | |
| |
<file xml dfn-aai-sp-metadata.xml> | <file xml dfn-aai-sp-metadata.xml> |
</file> | </file> |
| |
Hier sehen Sie den Metadatenauszug eines Identity Providers: Er hat Attributfreigaben für Code of Conduct-getreue SPs konfiguriert und verpflichtet sich den Kriterien der Verlässlichkeitsklasse Advanced. | The next example shows IdP metadata: The IdP releases attributes to CoCo compliant SPs. |
| |
<file xml dfn-aai-metadata.xml> | <file xml dfn-aai-metadata.xml> |
<saml:Attribute Name="http://macedir.org/entity-category-support" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> | <saml:Attribute Name="http://macedir.org/entity-category-support" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> |
<saml:AttributeValue>http://www.geant.net/uri/dataprotection-code-of-conduct/v1</saml:AttributeValue> | <saml:AttributeValue>http://www.geant.net/uri/dataprotection-code-of-conduct/v1</saml:AttributeValue> |
</saml:Attribute> | |
<saml:Attribute Name="http://aai.dfn.de/loa/degree-of-reliance" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> | |
<saml:AttributeValue>advanced</saml:AttributeValue> | |
</saml:Attribute> | </saml:Attribute> |
</mdattr:EntityAttributes> | </mdattr:EntityAttributes> |
</file> | </file> |
| |
===== Entity Categories in der DFN-AAI ===== | ===== Entity Categories in DFN-AAI ===== |
| |
<callout color="#ff9900" title="Eigene Entity Category?"> Implementierungswünsche für weitere Entity Categories richten Sie bitte an [[hotline@aai.dfn.de|]]. </callout> | <callout color="#ff9900" title="A custom Entity Category?"> You can request the implementation of custom Entity Categories at [[hotline@aai.dfn.de|]]. </callout> |
| |
In der DFN-AAI kommen Entity Categories zum Einsatz, die z.B. nach Projektzugehörigkeit vergeben werden. Sie können anhand der IdP- und SP-seitigen Filtermechanismen dazu eingesetzt werden, sogenannte **virtuelle Subföderationen** zu bilden, z.B. für bwIDM, Nds-AAI und die Virtuelle Hochschule Bayern. Folgende Kategorien werden derzeit vergeben: | In DFN-AAI, there are more Entity Categories used to express the affiliation to projects. We call them **virtual subfederations** for projects like bwIDM, Nds-AAI, or Virtuelle Hochschule Bayern. Here is a list of the implemented Entity Categories: |
| |
* [[http://aai.dfn.de/category/bwidm-member|http://aai.dfn.de/category/bwidm-member]] | * [[http://aai.dfn.de/category/bwidm-member|http://aai.dfn.de/category/bwidm-member]] |
* [[http://aai.dfn.de/category/vhb-member|http://aai.dfn.de/category/vhb-member]] | * [[http://aai.dfn.de/category/vhb-member|http://aai.dfn.de/category/vhb-member]] |
| |
Details hierzu finden sich auf einer [[:de:aai:entity_categories|separaten Übersichtsseite]]. | See the details [[:de:aai:entity_categories|here]] (in German). |
| |
==== Beispiele (Metadaten) ==== | ==== Examples (Metadata) ==== |
| |
Hier sehen Sie den Metadatenauszug eines SP, der am bwIdM-Verbund teilnimmt: | This is the according metadata extract of an SP participating in bwIdM: |
| |
<file xml dfn-aai-sp-metadata.xml> | <file xml dfn-aai-sp-metadata.xml> |
</file> | </file> |
| |
Hier sehen Sie den Metadatenauszug eines IdP, der am bwIdM-Verbund teilnimmt und sich der Verlässlichkeitsklasse Advanced zuordnet: | The metadata of an IdP taking part in bwIdM: |
| |
<file xml dfn-aai-metadata.xml> | <file xml dfn-aai-metadata.xml> |
<saml:Attribute Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> | <saml:Attribute Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> |
<saml:AttributeValue>http://aai.dfn.de/category/bwidm-member</saml:AttributeValue> | <saml:AttributeValue>http://aai.dfn.de/category/bwidm-member</saml:AttributeValue> |
</saml:Attribute> | |
<saml:Attribute Name="http://aai.dfn.de/loa/degree-of-reliance" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> | |
<saml:AttributeValue>advanced</saml:AttributeValue> | |
</saml:Attribute> | </saml:Attribute> |
</mdattr:EntityAttributes> | </mdattr:EntityAttributes> |
</file> | </file> |
| |
Hier sehen Sie den Metadatenauszug eines IdP aus den eduGAIN-Metadaten (UK-Föderation), an dem sich Nutzer*innen selbst registrieren können: | This extract shows metadata of an IdP from eduGAIN (from the UK federation) where users can self-register. |
| |
<file xml dfn-aai-edugain+idp-metadata.xml> | <file xml dfn-aai-edugain+idp-metadata.xml> |
</file> | </file> |
| |
==== Beispiele (Filter) ==== | ==== Examples (Filters) ==== |
| |
SP-seitige Whitelist, bei der die Metadaten, mit denen der SP arbeitet, auf IdPs aus dem bwIDM-Projekt beschränkt werden: | This Shibboleth SP filters metadata to allow only IdPs from the bwIdM project: |
| |
<file xml shibboleth2.xml> | <file xml shibboleth2.xml> |
<MetadataProvider type="XML" | <MetadataProvider type="XML" |
uri="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-metadata.xml" | uri="http://www.aai.dfn.de/metadata/dfn-aai-idp-metadata.xml" |
backingFilePath="dfn-aai-metadata.xml" reloadInterval="3600"> | backingFilePath="dfn-aai-metadata.xml" reloadInterval="3600"> |
<MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" /> | <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" /> |
<MetadataFilter type="Whitelist" matcher="EntityAttributes"> | <MetadataFilter type="Include" matcher="EntityAttributes"> |
<saml:Attribute Name="http://macedir.org/entity-category" | <saml:Attribute Name="http://macedir.org/entity-category" |
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> | NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> |
<saml:AttributeValue>http://aai.dfn.de/category/bwidm-member</saml:AttributeValue> | <saml:AttributeValue>http://aai.dfn.de/category/bwidm-member</saml:AttributeValue> |
</saml:Attribute> | </saml:Attribute> |
</MetadataFilter> | |
<MetadataFilter type="EntityRoleWhiteList"> | |
<RetainedRole>md:IDPSSODescriptor</RetainedRole> | |
</MetadataFilter> | </MetadataFilter> |
</MetadataProvider> | </MetadataProvider> |
</file> | </file> |
| |
SP-seitige Blacklist, bei der aus den Metadaten, mit denen der SP arbeitet, sog. Public IdPs / Self-Signup IdPs entfernt werden: | This Shibboleth SP filters metadata to remove IdPs with self-registration: |
| |
<file xml shibboleth2.xml> | <file xml shibboleth2.xml> |
<MetadataProvider type="XML" | <MetadataProvider type="XML" |
uri="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-edugain+idp-metadata.xml" | uri="http://www.aai.dfn.de/metadata/dfn-aai-edugain+idp-metadata.xml" |
backingFilePath="dfn-aai-edugain+idp-metadata.xml" reloadInterval="3600"> | backingFilePath="dfn-aai-edugain+idp-metadata.xml" reloadInterval="3600"> |
<MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" /> | <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" /> |
<MetadataFilter type="Blacklist" matcher="EntityAttributes"> | <MetadataFilter type="Exclude" matcher="EntityAttributes"> |
<saml:Attribute Name="http://macedir.org/entity-category" | <saml:Attribute Name="http://macedir.org/entity-category" |
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> | NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> |
<saml:AttributeValue>http://aai.dfn.de/category/public-idp</saml:AttributeValue> | <saml:AttributeValue>http://aai.dfn.de/category/public-idp</saml:AttributeValue> |
</saml:Attribute> | </saml:Attribute> |
</MetadataFilter> | |
<MetadataFilter type="EntityRoleWhiteList"> | |
<RetainedRole>md:IDPSSODescriptor</RetainedRole> | |
</MetadataFilter> | </MetadataFilter> |
</MetadataProvider> | </MetadataProvider> |
</file> | </file> |
| |
SP-seitige Whitelist, bei der die Metadaten, mit denen der SP arbeitet, auf IdPs der [[:de:degrees_of_reliance|Verlässlichkeitsklasse]] "Advanced" beschränkt werden: | |
| |
<file xml shibboleth2.xml> | This IdP filter policy releases a list of attributes to bwIDM Service Providers: |
<MetadataProvider type="XML" | |
uri="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-idp-metadata.xml" | |
backingFilePath="dfn-aai-idp-metadata.xml" reloadInterval="3600"> | |
<MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" /> | |
<MetadataFilter type="Whitelist" matcher="EntityAttributes"> | |
<saml:Attribute Name="http://aai.dfn.de/loa/degree-of-reliance" | |
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> | |
<saml:AttributeValue>advanced</saml:AttributeValue> | |
</saml:Attribute> | |
</MetadataFilter> | |
</MetadataProvider> | |
| |
</file> | |
| |
IdP: Attributfreigabe an bwIDM-SPs: | |
| |
<file xml attribute-filter.xml> | <file xml attribute-filter.xml> |
</file> | </file> |
| |
Weitere Beispiele unter [[de:shibidp:config-attributes#haeufig_genutzt_service_provider|Attribut-Konfiguration]]. | Find more examples on the page about [[de:shibidp:config-attributes#haeufig_genutzt_service_provider|Attribute Configuration]] (in German). |
| |
===== Referenzen ===== | ===== References ===== |
| |
Weiterführende Informationen finden Sie im Shibboleth Wiki unter folgenden Links: | For further reading, please consult the Shibboleth Wiki: |
| |
* **IdP - Attributfreigabe** | * **IdP - Attribute Release** |
* [[https://wiki.shibboleth.net/confluence/display/IDP30/EntityAttributeExactMatchConfiguration|EntityAttributeExactMatch Configuration]] | * [[https://wiki.shibboleth.net/confluence/display/IDP4/EntityAttributeExactMatchConfiguration|EntityAttributeExactMatch Configuration]] |
* [[https://wiki.shibboleth.net/confluence/display/IDP30/EntityAttributeRegexMatchConfiguration|EntityAttributeRegexMatch Configuration]] | * [[https://wiki.shibboleth.net/confluence/display/IDP4/EntityAttributeRegexMatchConfiguration|EntityAttributeRegexMatch Configuration]] |
* **IdP - Relying Party Konfiguration** | * **IdP - Relying Party Configuration** |
* [[https://wiki.shibboleth.net/confluence/display/IDP30/RelyingPartyConfiguration#RelyingPartyConfiguration-Overrides|RelyingParty Configuration - Overrides, (RelyingPartyByTag)]] | * [[https://wiki.shibboleth.net/confluence/display/IDP4/RelyingPartyConfiguration#RelyingPartyConfiguration-Overrides|RelyingParty Configuration - Overrides, (RelyingPartyByTag)]] |
* **IdP - internes Tagging mit Entity Attributen** | * **IdP - internal tagging with Entity Attributes** |
* [[https://wiki.shibboleth.net/confluence/display/IDP30/EntityAttributesFilter|Metadata - EntityAttributesFilter]] | * [[https://wiki.shibboleth.net/confluence/display/IDP4/EntityAttributesFilter|Metadata - EntityAttributesFilter]] |
* **SP - Metadata Filter (matcher="EntityAttributes")** | * **SP - Metadata Filter (matcher="EntityAttributes")** |
* [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataFilter#NativeSPMetadataFilter-WhitelistMetadataFilter|Whitelist MetadataFilter]] | * [[https://wiki.shibboleth.net/confluence/display/SP3/IncludeMetadataFilter|IncludeMetadataFilter]] |
* [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataFilter#NativeSPMetadataFilter-BlacklistMetadataFilter|Blacklist MetadataFilter]] | * [[https://wiki.shibboleth.net/confluence/display/SP3/ExcludeMetadataFilter|Exclude MetadataFilter]] |
* **SP - internes Tagging mit Entity Attributen** | * **SP - internal tagging with Entity Attributes** |
* [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataFilter#NativeSPMetadataFilter-EntityAttributesMetadataFilter(Version2.5andAbove)|Entity Attributes Metadata Filter]] | * [[https://wiki.shibboleth.net/confluence/display/SP3/EntityAttributesMetadataFilter|Entity Attributes Metadata Filter]] |
{{tag>entity-category entity-attribute fixme}} | |
| {{tag>entity-category entity-attribute}} |
| |
| |