释放用户属性(手动第5/9步)

Owned by carsi_pku_team
Sept 03, 2021

        使用以下内容替换/opt/shibboleth-idp/conf/attribute-filter.xml,其中eduPersonEntitlement只对Elsiver数据库商释放(为了方便测试,也添加了CARSI测试环境和线上环境的SP)。

        配置属性释放涉及对哪些SP释放属性和释放哪些属性两个层面的配置。#xsi:type=”ANY”表示:对任意SP释放属性。permitAny=”true”,表示的是释放所有eduPersonScopedAffiliation可取值的属性。

<?xml version="1.0" encoding="UTF-8"?>
<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
         xmlns="urn:mace:shibboleth:2.0:afp"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">

     <AttributeFilterPolicy id="carsiAttrFilterPolicy">
         <PolicyRequirementRule xsi:type="ANY" />
         <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
         <AttributeRule attributeID="eduPersonTargetedID" permitAny="true" />
     </AttributeFilterPolicy>

     <AttributeFilterPolicy id="carsiAttrFilterToSPPolicy">
         <PolicyRequirementRule xsi:type="OR">
             <Rule xsi:type="Requester" value="https://sptest.pku.edu.cn/shibboleth" />
             <Rule xsi:type="Requester" value="https://dspre.carsi.edu.cn/shibboleth" />
             <Rule xsi:type="Requester" value="https://ds.carsi.edu.cn/shibboleth-sp/carsifed" />
             <Rule xsi:type="Requester" value="https://sdauth.sciencedirect.com/" />
         </PolicyRequirementRule>
         <AttributeRule attributeID="eduPersonEntitlement" permitAny="true" />
     </AttributeFilterPolicy>

</AttributeFilterPolicyGroup>

        如果仅对某个或者某几个SP释放属性:

#把<PolicyRequirementRule xsi:type="ANY" />改为

<PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" />

#https://sp.example.org为SP的entityID,表示只对sp.example.org释放属性

<PolicyRequirementRule xsi:type="OR">
     <Rule xsi:type="Requester" value="https://sp.example.org" />
     <Rule xsi:type="Requester" value="https://another.example.org/shibboleth" />
</PolicyRequirementRule>

#表示对sp.example.org 或者 another.example.org释放属性

        如果对释放属性取值做限制:

#把<AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" />改为

<AttributeRule attributeID="eduPersonPrincipalName">
     <PermitValueRule xsi:type="Value" value="jsmith" ignoreCase="true" />
</AttributeRule>

#value="jsmith"表示只释放eduPersonPrincipalName值为jsmith的属性

        如果需要对释放属性限制多个取值:

#把<AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" />改为

<AttributeRule attributeID="eduPersonPrincipalName">
  <PermitValueRule xsi:type="OR">
     <Rule xsi:type="Value" value="jsmith" ignoreCase="true" />
     <Rule xsi:type="Value" value="jimmy" ignoreCase="true" />
  </PermitValueRule>
</AttributeRule>

#value="jsmith" value="jimmy"表示只释放eduPersonPrincipalName值为jsmith或jimmy的属性

版权所有©北京大学计算中心