-->
<!-- Filtering rule to limit values to eduPerson-defined enumeration. -->
- <AttributeRule Name="urn:mace:dir:eduperson#eduPersonScopedAffiliation">
+ <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation">
<AnySite>
<Value>member</Value>
<Value>faculty</Value>
</AttributeRule>
<!-- Basic rule to pass through any value. -->
- <AttributeRule Name="urn:mace:dir:eduperson#eduPersonPrincipalName">
+ <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName">
<AnySite>
<AnyValue/>
</AnySite>
</AttributeRule>
<!-- Entitlements tend to be filtered per-site. -->
- <AttributeRule Name="urn:mace:dir:eduperson#eduPersonEntitlement">
+ <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonEntitlement">
<!--
Optional site rule that applies to any site
# host, and port will determined dynamically in each virtual host. If
# for some reason the dynamically derived URL is not appropriate, a
# complete URL can be used, and may be set per-vhost explicitly:
-# SHIREURL https://<server-name>/shibboleth/SHIRE
+# SHIREURL https://<server-name>/SHIRE
#
# The SHIREURL and subsequent "Location" handler must match.
#
-SHIREURL /shibboleth/SHIRE
-<Location /shibboleth/SHIRE>
+SHIREURL /SHIRE
+<Location /SHIRE>
SetHandler shib-shire-post
</Location>
# and is automatically checked by a "require user" rule.
# The parameter syntax is <attribute-uri> <HTTP-header> [<alias>]
#
-ShibMapAttribute urn:mace:dir:eduperson#eduPersonPrincipalName REMOTE_USER
-ShibMapAttribute urn:mace:dir:eduperson#eduPersonScopedAffiliation Shib-EP-Affiliation affiliation
-ShibMapAttribute urn:mace:dir:eduperson#eduPersonEntitlement Shib-EP-Entitlement entitlement
+ShibMapAttribute urn:mace:dir:attribute-def:eduPersonPrincipalName REMOTE_USER
+ShibMapAttribute urn:mace:dir:attribute-def:eduPersonScopedAffiliation Shib-EP-Affiliation affiliation
+ShibMapAttribute urn:mace:dir:attribute-def:eduPersonEntitlement Shib-EP-Entitlement entitlement
#
# Configure a test directory
#
-# You need _at least_ a "require" option for shib to take effect for this
+# You need _at least_ a "require" option for Shib to take effect for this
# directory. You can either set the AuthType to "shibboleth", or you can
-# turn on ShibBasicHijack.
+# turn on ShibBasicHijack. For Shib, valid-user is a somewhat vague concept
+# and only means that a trusted origin site has authenticated the user, but
+# doesn't mean that any attributes were received.
#
<Location /secure>
AuthType shibboleth
- require affiliation ~ member@.*
+ require affiliation ~ ^member@.+$
+ # require valid-user
# Per-directory SHIRE Configuration
#ShibBasicHijack On
#ShibSSLOnly On
- #ShibAuthLifetime 60
- #ShibAuthTimeout 600
+ #ShibAuthLifetime 14400
+ #ShibAuthTimeout 3600
# RM Configuration
#AuthGroupFile /foo
# These are sample eduPerson attributes used in the InCommon pilot.
# When defining new attributes, be sure to define them in the AAP file, if any,
# as well as defining them to Apache or other web server.
-urn:mace:dir:eduperson#eduPersonPrincipalName=scoped
-urn:mace:dir:eduperson#eduPersonScopedAffiliation=scoped
-urn:mace:dir:eduperson#eduPersonEntitlement=simple
+urn:mace:dir:attribute-def:eduPersonPrincipalName=scoped
+urn:mace:dir:attribute-def:eduPersonScopedAffiliation=scoped
+urn:mace:dir:attribute-def:eduPersonEntitlement=simple
[policies]
# This is a sample policy URI used by the InCommon pilot origins.