-
Notifications
You must be signed in to change notification settings - Fork 23
Attribute Release Policy
The Attribute Release Policy (ARP) defines which attribute values are released to any given SP. Engineblock only supports one ARP per SP. This means that the defined ARP will be applied to all IdPs making use of that SP.
The ARP only applies to actual attributes; the SAML NameID element is always provided.
When no ARP is defined/null (note: different from empty ARP, see below), all attributes the IdP provides are released to the SP. This includes the EB generated attribute eduPersonTargetedId. It does not include any attribute aggregation sources.
When the ARP is set but an empty list, this means no attributes are supplied to the SP. Only the SAML NameID element is sent.
The common case is an ARP that lists a number of attributes. These attributes will be released to the SP when provided by the IdP or attribute source. If the attribute in question is not supplied by the IdP (or attribute source), the attribute is not released to the SP.
Attribute values can also be filtered. By default this filter is the wildcard *
. The filter can be either a list of verbatim strings or strings ending in the suffix wildcard *
(other wildcard positions are not allowed). All incoming values are matched to the strings or wildcard and only kept when matching. When there are 0 matches, the attribute will not be released at all. This allows to e.g. only allow eduPersonEntilement values with a specific URN prefix.
The ARP also contains a 'motivation' field per attribute (single language only) that will be shown as an explanation in the consent screen for why the service needs this attribute.
The default attribute source 'idp' means that the attribute is supplied by the users authenticating IdP.
If at least one attribute has an attribute source other than 'idp' a callout is done to the OpenConext Attribute Aggregation service (AA). This service will return possibly other values for attributes of the user. The resulting attributes incoming from the AA will subsequently be subject to the ARP including the configured value filters.
EB can generate the following attributes:
- eduPersonTargetedId. Always a copy of the SAML NameID element as it will be released to this SP. Only released when eduPersonTargetedId is in the ARP (with source 'idp' for legacy reasons) or the ARP is unset.
- isMemberOf. Set to a static URN if the identity provider has the coin:guest_qualifier set to "None".
You can set the release_as
to a string for a given attribute. The values of that attribute will then be released to the SP under the specified name, instead of the original, official name.
You can set the use_as_nameid
flag on exactly one attribute in the ARP. The first value of this attribute will then be used as the value in the SAML Subject NameID, regardless of the NameIDFormat that is specified in the SP metadata. The NameIDFormat that will be used is the 'unspecified' format. If the attribute is not present from the IdP, then the normal NameID behaviour is used as configured for that SP.