• BackLinks
• Search
• Print

Note that the SDSS Federation no longer accepts new applications to join. Applications should instead be made to join the UK Federation. The information on this page is of historical interest only.

Attribute Usage

All the attributes we use at present are from the eduPerson specification:

The table below shows the attributes recognised by each service. Of these, the only one that the default Shibboleth attribute release policy allows service providers to see is eduPersonScopedAffiliation. To release any others, you will need to edit the arp.site.xml file as described later under Attribute Release.

Notes:

1. The only attribute that an identity provider must release for its users to be able to access most EDINA services is eduPersonScopedAffiliation. This is a scoped attribute, which might, for example, have the value "member" in scope "uni.ac.uk", often written as:

It is used for the basic authorisation decision: does uni.ac.uk subscribe to the service in question? If so, the user is allowed access. EDINA maintains its own table of which institutions subscribe to what EDINA-hosted services; it does not rely on user attributes for this information.

An identity provider can generate eduPersonScopedAffiliation automatically (without an attribute store) by setting the required scope in resolver.xml as described in SetupIdentityProvider.

2. Many services can make use of, but do not require, the eduPersonTargetedID attribute. This is a persistent opaque identifier, which enables service personalisation (remembering data about a user over different login sessions) without the service provider knowing who the user is. If the identity provider supplies the eduPersonTargetedID attribute, the session is treated similarly to an Athens personal account. Otherwise, the service's personalisation features (e.g., saved searches) may be disabled, though the service will still function in the same way as with Athens shared accounts. With some services (e.g., Zetoc Alert) this attribute is mandatory. If so, it is marked as "Required/Yes" in the table above.

A Shibboleth identity provider can generate the opaque eduPersonTargetedID attribute automatically from some other stored attribute that holds the user id in the clear, such as eduPersonPrincipalName, by editing resolver.xml and uncommenting or adding:

 
<PersistentIDAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonTargetedID"
                                 scope="SSSSSSSS" sourceName="eduPersonPrincipalName">
   <DataConnectorDependency requires="echo"/>
   <Salt>XXXXXXXXXXXXXXXXXXXXXXX</Salt>
</PersistentIDAttributeDefinition>

Replace the scope "SSSSSSSS" with the domain for which the attribute is to be asserted, e.g., "uni.ac.uk". The <Salt> is a constant, arbitrary value that you should choose once and keep secret. The value must be at least 16 characters long, otherwise the software will silently ignore it and expect the value to be supplied from a Java keystore. The Salt value is used to generate the persistent opaque identifier from the scope and some other attribute, normally the user id (eduPersonPrincipalName). Its purpose is to prevent attempts to work back from the opaque identifier to the user's identity by combining knowledge of the scope and the hash function used with an exhaustive search of the possible user ids.

The default Shibboleth attribute release policy does not release eduPersonTargetedID. You must therefore manually edit the arp.site.xml file to enable this feature, as described under Attribute Release below.

3. Shibboleth is not required at all simply to view the Internet2 Shibboleth Wiki but you must log in from a federation to edit, and that requires eduPersonPrincipalName (to identify an individual editing account).

4. The EMOL service contains some restricted material not accessible to all users. Identity providers may assert a particular eduPersonEntitlement value to indicate that an individual user should have access to this material. The required value is listed in the rule set for EMOL in the section on Attribute Release below, which indicates the changes that may be needed in your ARP file, usually arp.sites.xml. In resolver.xml, simply use the default (unscoped) attribute definition for eduPersonEntitlement as shown below, where "xxxx" is the name of the data connector that links to your directory:

 
<SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonEntitlement">
   <DataConnectorDependency requires="xxxx"/>
</SimpleAttributeDefinition>

5. Some services can make use of optional attributes if an identity provider offers them. For example, MIMAS Landmap makes use of the user's given name (givenName), surname (sn) and organisational unit (ou, treated as a Department name), if present. If such optional attributes are not provided by the identity provider, the service may require the user to enter the same information manually, and these entries may need to be manually checked by the operator of the service.

6. Some services (e.g., ScienceDirect) grant access based on the name (entityID) of the identity provider used, rather than on the basis of user attributes. Therefore, it is not necessary to release any user attributes to such services to gain basic access, though some services may make use of additional attributes if they are supplied (for example, ScienceDirect can make use of eduPersonTargetedID).

Attribute Release

An identity provider must ensure that its attribute release policy makes every required attribute visible to all the services its users should be able to visit. The default arp.site.xml file shipped with Shibboleth releases eduPersonScopedAffiliation to any target, which is all that is initially required by many services. Some services will work better, by supporting personalisation, if eduPersonTargetedID is also released. The default arp.site.xml file can be modified to release eduPersonTargetedID as follows (with eduPersonAffiliation also removed, as this unscoped attribute is of limited use across a federation):

 
<?xml version="1.0" encoding="UTF-8"?>
<AttributeReleasePolicy
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
            xmlns="urn:mace:shibboleth:arp:1.0"
            xsi:schemaLocation="urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd" >
   <Description>Simplest possible ARP plus targeted ID.</Description>
   <Rule>
      <Target>
         <AnyTarget/>
      </Target>
      <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation">
         <AnyValue release="permit"/>
      </Attribute>
      <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID">
         <AnyValue release="permit"/>
      </Attribute>
   </Rule>
</AttributeReleasePolicy>

Additional attributes, e.g., eduPersonEntitlement, can be released similarly.

If you later decide to modify the attribute release policy so that these attributes are not universally released, you will need to add individual <Rule>s for each service users should have access to. You can copy the <Rule>s needed from the list of examples below:

 
<Rule>
   <Description>CAB Abstracts and "Land, Life and Leisure" at EDINA</Description>
   <Target>
      <Requester>urn:mace:ac.uk:sdss.ac.uk:provider:service:nevis.ed.ac.uk</Requester>
   </Target>
   <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation">
      <AnyValue release="permit"/>
   </Attribute>
   <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID">
      <AnyValue release="permit"/>
   </Attribute>
</Rule>

<Rule>
   <Description>Film and Sound Online service at EDINA</Description>
   <Target>
       <Requester>urn:mace:ac.uk:sdss.ac.uk:provider:service:emol.sdss.ac.uk</Requester>
   </Target>
   <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation">
       <AnyValue release="permit"/>
   </Attribute>
   <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID">
       <AnyValue release="permit"/>
   </Attribute>
   <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement">
       <Value release="permit">urn:mace:ac.uk:sdss.ac.uk:entitlement:emol.sdss.ac.uk:restricted</Value>
   </Attribute>
</Rule>

<Rule>
   <Description>EIG service at EDINA</Description>
   <Target>
      <Requester>urn:mace:ac.uk:sdss.ac.uk:provider:service:eig.sdss.ac.uk</Requester>
   </Target>
   <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation">
      <AnyValue release="permit"/>
   </Attribute>
   <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID">
      <AnyValue release="permit"/>
   </Attribute>
</Rule>

<Rule>
   <Description>Internet2 Shibboleth Wiki</Description>
   <Target>
      <Requester>https://spaces.internet2.edu/shibboleth</Requester>
   </Target>
   <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName">
      <AnyValue release="permit"/>
   </Attribute>
</Rule>

<Rule>
   <Description>MIMAS Landmap</Description>
   <Target>
      <Requester>urn:mace:ac.uk:sdss.ac.uk:provider:service:shibboleth-landmap.mimas.ac.uk</Requester>
   </Target>
   <!-- Minimal attribute set required is just ePPN: givenName, sn and ou are optional -->
   <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName">
      <AnyValue release="permit"/>
   </Attribute>
</Rule>

<Rule>
   <Description>ScienceDirect</Description>
   <Target>
      <Requester>https://sdauth.sciencedirect.com/</Requester>
   </Target>
   <!--
      No attributes are required: access is granted based on IdP entityID
      but ePTI is leveraged if present.
   -->
   <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID">
       <AnyValue release="permit"/>
   </Attribute>
</Rule>