Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revisionBoth sides next revision
en:entity_attributes [2021/03/04 11:15] – [GÉANT Data Protection Code of Conduct] Silke Meyeren:entity_attributes [2022/05/02 14:15] Wolfgang Pempe
Line 1: Line 1:
-FIXME **This page is not fully translated, yet. Please help completing the translation.**\\ //(remove this paragraph once the translation is finished)// 
- 
 ====== Entity Attributes ====== ====== Entity Attributes ======
  
Line 25: Line 23:
     </md:Extensions>     </md:Extensions>
  
 +</file>
 +
 +For an example on how to restrict an SP's metadata import to IdPs that conform to the requirements of the Degree of Reliance 'Advanced' please refer to [[en:production#sp_example|Production Environment]].
 +===== SP: Required Degree of Reliance =====
 +This entity attribute is used to signal the [[en:degrees_of_reliance|Degree of Reliance]] required by the respective service provider. 
 +
 +<file xml dfn-aai-sp-metadata.xml>
 +  <EntityDescriptor entityID="https://bw-support.scc.kit.edu/secure">
 +    <Extensions>
 +      <mdrpi:RegistrationInfo registrationAuthority="https://www.aai.dfn.de" registrationInstant="2013-05-29T12:16:37Z">
 +        <mdrpi:RegistrationPolicy xml:lang="en">https://www.aai.dfn.de/en/join/</mdrpi:RegistrationPolicy>
 +        <mdrpi:RegistrationPolicy xml:lang="de">https://www.aai.dfn.de/teilnahme/</mdrpi:RegistrationPolicy>
 +      </mdrpi:RegistrationInfo>
 +      <mdattr:EntityAttributes>
 +        <!-- ... -->      
 +          <saml:Attribute Name="http://aai.dfn.de/require-loa/degree-of-reliance" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
 +          <saml:AttributeValue>advanced</saml:AttributeValue>
 +        </saml:Attribute>
 +      </mdattr:EntityAttributes>
 +    </Extensions>
 </file> </file>
  
Line 73: Line 91:
 ==== Research and Scholarship ==== ==== Research and Scholarship ====
  
-Die Entity Category Research and Scholarship können Service Provider setzen, deren Dienst die Zusammenarbeit oder das Management in den Bereichen Forschung und Bildung unterstütztDie Bedingungen sind bei [[https://refeds.org/category/research-and-scholarship|REFEDS]] aufgelistetwichtig sind für Sie vor allem die Registrierungskriterien (Punkt 4) und die Attributliste (Punkt 5).+Service Provider supporting research and scholarship interaction, collaboration or management may use the Entity Category Research and Scholarship. The conditions are listed with [[https://refeds.org/category/research-and-scholarship|REFEDS]]. For youthe most important parts are the registration criteria (item no. 4) and the list of attributes (item no. 5).
  
-Die Attributfreigaben, die IdP-seitig erfolgen können, sind unter [[:de:shibidp:config-attributes-rands|Attributfreigaben für die REFEDS Research and Scholarship Entity Category]] dokumentiert.+The attribute filter policies for IdPs are documented [[:de:shibidp:config-attributes-rands|here in our wiki]].
  
 ==== Hide from Discovery ==== ==== Hide from Discovery ====
 +We have not implemented the Entity Category [[https://refeds.org/category/hide-from-discovery|Hide from Discovery]] in our metadata administration tool. IdPs thus cannot not it. However, SPs should be configured to support the EC (e.g. because of IdPs from other federations).
  
-Die Entity Category [[https://refeds.org/category/hide-from-discovery|Hide from Discovery]] für IdPs haben wir derzeit nicht in der Metadatenverwaltung implementiert. SPs sollten dennoch so konfiguriert sein, dass Sie die Entity Category unterstützen.+==== Examples ====
  
-==== Beispiele ==== +The following example shows an extract from SP metadata with three Entity Attributes: The SP commits to CoCo complianceit offers a service for collaboration in research (or similar), and it belongs to the group of Clarin SPs.
- +
-Hier sehen Sie den Metadatenauszug eines Services Providers mit drei Entity Attributes: Er sagt CoCo-Compliance zubietet einen Dienst für kollaboratives Arbeiten in der Forschung o.ä. an und gehört zur Gruppe der Clarin-SPs.+
  
 <file xml dfn-aai-sp-metadata.xml> <file xml dfn-aai-sp-metadata.xml>
Line 103: Line 120:
 </file> </file>
  
-Hier sehen Sie den Metadatenauszug eines Identity ProvidersEr hat Attributfreigaben für Code of Conduct-getreue SPs konfiguriert und verpflichtet sich den Kriterien der Verlässlichkeitsklasse Advanced.+The next example shows IdP metadataThe IdP releases attributes to CoCo compliant SPs, and it commits to the degree of reliance "Advanced".
  
 <file xml dfn-aai-metadata.xml> <file xml dfn-aai-metadata.xml>
Line 124: Line 141:
 </file> </file>
  
-===== Entity Categories in der DFN-AAI =====+===== Entity Categories in DFN-AAI =====
  
-<callout color="#ff9900" title="Eigene Entity Category?"> Implementierungswünsche für weitere Entity Categories richten Sie bitte an [[hotline@aai.dfn.de|]]. </callout>+<callout color="#ff9900" title="A custom Entity Category?"> You can request the implementation of custom Entity Categories at [[hotline@aai.dfn.de|]]. </callout>
  
-In der DFN-AAI kommen Entity Categories zum Einsatz, die z.B. nach Projektzugehörigkeit vergeben werden. Sie können anhand der IdP- und SP-seitigen Filtermechanismen dazu eingesetzt werden, sogenannte **virtuelle Subföderationen**  zu bilden, z.B. für bwIDM, Nds-AAI und die Virtuelle Hochschule Bayern. Folgende Kategorien werden derzeit vergeben:+In DFN-AAI, there are more Entity Categories used to express the affiliation to projectsWe call them **virtual subfederations** for projects like bwIDM, Nds-AAI, or Virtuelle Hochschule Bayern. Here is a list of the implemented Entity Categories:
  
   * [[http://aai.dfn.de/category/bwidm-member|http://aai.dfn.de/category/bwidm-member]]   * [[http://aai.dfn.de/category/bwidm-member|http://aai.dfn.de/category/bwidm-member]]
Line 141: Line 158:
   * [[http://aai.dfn.de/category/vhb-member|http://aai.dfn.de/category/vhb-member]]   * [[http://aai.dfn.de/category/vhb-member|http://aai.dfn.de/category/vhb-member]]
  
-Details hierzu finden sich auf einer [[:de:aai:entity_categories|separaten Übersichtsseite]].+See the details [[:de:aai:entity_categories|here]] (in German).
  
-==== Beispiele (Metadaten) ====+==== Examples (Metadata) ====
  
-Hier sehen Sie den Metadatenauszug eines SP, der am bwIdM-Verbund teilnimmt:+This is the according metadata extract of an SP participating in bwIdM:
  
 <file xml dfn-aai-sp-metadata.xml> <file xml dfn-aai-sp-metadata.xml>
Line 163: Line 180:
 </file> </file>
  
-Hier sehen Sie den Metadatenauszug eines IdP, der am bwIdM-Verbund teilnimmt und sich der Verlässlichkeitsklasse Advanced zuordnet:+The metadata of an IdP taking part in bwIdM and committing to the Degree of Reliance "Advanced" look like this:
  
 <file xml dfn-aai-metadata.xml> <file xml dfn-aai-metadata.xml>
Line 184: Line 201:
 </file> </file>
  
-Hier sehen Sie den Metadatenauszug eines IdP aus den eduGAIN-Metadaten (UK-Föderation), an dem sich Nutzer*innen selbst registrieren können:+This extract shows metadata of an IdP from eduGAIN (from the UK federation) where users can self-register.
  
 <file xml dfn-aai-edugain+idp-metadata.xml> <file xml dfn-aai-edugain+idp-metadata.xml>
Line 202: Line 219:
 </file> </file>
  
-==== Beispiele (Filter) ====+==== Examples (Filters) ====
  
-SP-seitige Whitelist, bei der die Metadaten, mit denen der SP arbeitet, auf IdPs aus dem bwIDM-Projekt beschränkt werden:+This Shibboleth SP filters metadata to allow only IdPs from the bwIdM project:
  
 <file xml shibboleth2.xml> <file xml shibboleth2.xml>
 <MetadataProvider type="XML" <MetadataProvider type="XML"
-     uri="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-metadata.xml"+     uri="http://www.aai.dfn.de/metadata/dfn-aai-metadata.xml"
      backingFilePath="dfn-aai-metadata.xml" reloadInterval="3600">      backingFilePath="dfn-aai-metadata.xml" reloadInterval="3600">
    <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" />    <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" />
Line 224: Line 241:
 </file> </file>
  
-SP-seitige Blacklist, bei der aus den Metadaten, mit denen der SP arbeitet, sog. Public IdPs / Self-Signup IdPs entfernt werden:+This Shibboleth SP filters metadata to remove IdPs with self-registration:
  
 <file xml shibboleth2.xml> <file xml shibboleth2.xml>
 <MetadataProvider type="XML" <MetadataProvider type="XML"
-     uri="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-edugain+idp-metadata.xml"+     uri="http://www.aai.dfn.de/metadata/dfn-aai-edugain+idp-metadata.xml"
      backingFilePath="dfn-aai-edugain+idp-metadata.xml" reloadInterval="3600">      backingFilePath="dfn-aai-edugain+idp-metadata.xml" reloadInterval="3600">
    <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" />    <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" />
Line 244: Line 261:
 </file> </file>
  
-SP-seitige Whitelist, bei der die Metadaten, mit denen der SP arbeitet, auf IdPs der [[:de:degrees_of_reliance|Verlässlichkeitsklasse]] "Advanced" beschränkt werden:+This Shibboleth SP filters metadata to only work with IdPs committing to the Degree of Reliance "Advanced":
  
 <file xml shibboleth2.xml> <file xml shibboleth2.xml>
 <MetadataProvider type="XML" <MetadataProvider type="XML"
-     uri="http://www.aai.dfn.de/fileadmin/metadata/dfn-aai-idp-metadata.xml"+     uri="http://www.aai.dfn.de/metadata/dfn-aai-idp-metadata.xml"
      backingFilePath="dfn-aai-idp-metadata.xml" reloadInterval="3600">      backingFilePath="dfn-aai-idp-metadata.xml" reloadInterval="3600">
    <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" />    <MetadataFilter type="Signature" certificate="/etc/ssl/aai/dfn-aai.pem" />
Line 261: Line 278:
 </file> </file>
  
-IdP: Attributfreigabe an bwIDM-SPs:+This IdP filter policy releases a list of attributes to bwIDM Service Providers:
  
 <file xml attribute-filter.xml> <file xml attribute-filter.xml>
Line 283: Line 300:
 </file> </file>
  
-Weitere Beispiele unter [[de:shibidp:config-attributes#haeufig_genutzt_service_provider|Attribut-Konfiguration]].+Find more examples on the page about [[de:shibidp:config-attributes#haeufig_genutzt_service_provider|Attribute Configuration]] (in German).
  
-===== Referenzen =====+===== References =====
  
-Weiterführende Informationen finden Sie im Shibboleth Wiki unter folgenden Links:+For further reading, please consult the Shibboleth Wiki:
  
-  * **IdP - Attributfreigabe** +  * **IdP - Attribute Release** 
-      * [[https://wiki.shibboleth.net/confluence/display/IDP30/EntityAttributeExactMatchConfiguration|EntityAttributeExactMatch Configuration]] +      * [[https://wiki.shibboleth.net/confluence/display/IDP4/EntityAttributeExactMatchConfiguration|EntityAttributeExactMatch Configuration]] 
-      * [[https://wiki.shibboleth.net/confluence/display/IDP30/EntityAttributeRegexMatchConfiguration|EntityAttributeRegexMatch Configuration]] +      * [[https://wiki.shibboleth.net/confluence/display/IDP4/EntityAttributeRegexMatchConfiguration|EntityAttributeRegexMatch Configuration]] 
-  * **IdP - Relying Party Konfiguration** +  * **IdP - Relying Party Configuration** 
-      * [[https://wiki.shibboleth.net/confluence/display/IDP30/RelyingPartyConfiguration#RelyingPartyConfiguration-Overrides|RelyingParty Configuration - Overrides, (RelyingPartyByTag)]] +      * [[https://wiki.shibboleth.net/confluence/display/IDP4/RelyingPartyConfiguration#RelyingPartyConfiguration-Overrides|RelyingParty Configuration - Overrides, (RelyingPartyByTag)]] 
-  * **IdP - internes Tagging mit Entity Attributen** +  * **IdP - internal tagging with Entity Attributes** 
-      * [[https://wiki.shibboleth.net/confluence/display/IDP30/EntityAttributesFilter|Metadata - EntityAttributesFilter]]+      * [[https://wiki.shibboleth.net/confluence/display/IDP4/EntityAttributesFilter|Metadata - EntityAttributesFilter]]
   * **SP - Metadata Filter (matcher="EntityAttributes")**   * **SP - Metadata Filter (matcher="EntityAttributes")**
-      * [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataFilter#NativeSPMetadataFilter-WhitelistMetadataFilter|Whitelist MetadataFilter]] +      * [[https://wiki.shibboleth.net/confluence/display/SP3/IncludeMetadataFilter|IncludeMetadataFilter]] 
-      * [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataFilter#NativeSPMetadataFilter-BlacklistMetadataFilter|Blacklist MetadataFilter]] +      * [[https://wiki.shibboleth.net/confluence/display/SP3/ExcludeMetadataFilter|Exclude MetadataFilter]] 
-  * **SP - internes Tagging mit Entity Attributen** +  * **SP - internal tagging with Entity Attributes** 
-      * [[https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataFilter#NativeSPMetadataFilter-EntityAttributesMetadataFilter(Version2.5andAbove)|Entity Attributes Metadata Filter]] +      * [[https://wiki.shibboleth.net/confluence/display/SP3/EntityAttributesMetadataFilter|Entity Attributes Metadata Filter]] 
-{{tag>entity-category entity-attribute fixme}}+ 
 +{{tag>entity-category entity-attribute}}
  
  
  • Last modified: 18 months ago