547
szerkesztés
Módosítások
nincs szerkesztési összefoglaló
{{TRASH}}
When a Home Bridging Element releases local attributes to a Remote Bridging Element, some attribute transformation and attribute filtering should take place. Similarly, Remote BE has to filter out unnecessary/unwanted attributes and transform the remaining according to its federation's rules.
Shibboleth uses <code>*AttributeDefinition</code> elements to define conversion rules from data source (i.e. LDAP) attributes to "resolved" attributes. <code>AttributeDefinition</code>s can depend on <code>DataConnector</code>s or other <code>AttributeDefinition</code>s.
It can be used for attribute conversion in eduGAIN as well if we can define a <code>DataConnector</code> that can use attributes retrieved * from the IdP (at the HBE) , or * from the HBE (at RBE).
Shibboleth2 has a number of built-in <code>AttributeDefinition</code>s:
* [https://spaceswiki.internet2shibboleth.edunet/confluence/display/SHIB2/ResolverSimpleAttributeDefinition SimpleAttributeDefinition]: pass through the retrieved value of the attribute* [https://spaceswiki.internet2shibboleth.edunet/confluence/display/SHIB2/ResolverScopedAttributeDefinition ScopedAttributeDefinition]: append a scope to the attribute value* [https://spaceswiki.internet2shibboleth.edunet/confluence/display/SHIB2/ResolverTemplateAttributeDefinition TemplateAttributeDefinition]: sets value based on an arbitrary template of constant string and other attributes* [https://spaceswiki.internet2shibboleth.edunet/confluence/display/SHIB2/ResolverMappedAttributeDefinition MappedAttributeDefinition]: sets value according to conditions on (possibly other) attribute values* [https://spaceswiki.internet2shibboleth.edunet/confluence/display/SHIB2/ResolverScriptAttributeDefinition ScriptedAttributeDefinition]: execute a [https://scripting.dev.java.net/ JSR-223] (Java) script to determine the attribute value. This script gets the context information in <code>requestContext</code> variable.
* ... and some others ...
==== Hooking into EduGAIN ====
* Licencing issue (Shibboleth has Apache2 style licence)
* Amount of code needs to be included into eduGainBase is unknown. Worst case: whole Java Shibboleth library (<code>edu.internet2.middleware.shibboleth.common.*</code>)
== Filtering ==
Both HBE and RBE need to filter the set of attributes released and accepted.
Shibboleth2 comes with a filtering code that is the same both for the attribute publisher and the consumer. Filtering rules may be based on (among others):
* requester/issuer
* attribute values
* authentication context
