<!--
An AAP is a set of AttributeRule elements, each one
referencing a specific attribute by URI. All attributes that
- are implemented via the built-in Simple and Scoped classes must be
- listed in the file or they will be filtered out.
+ should be visible to an application running at the target should
+ be listed, or they will be filtered out.
Scoped attributes are also filtered on Scope via the Domain elements
in the site metadata.
-->
<!-- Filtering rule to limit values to eduPerson-defined enumeration. -->
- <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation">
+ <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
+ Header="Shib-EP-Affiliation" Alias="affiliation">
<AnySite>
<Value>member</Value>
<Value>faculty</Value>
</AttributeRule>
<!-- Basic rule to pass through any value. -->
- <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName">
+ <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName"
+ Header="REMOTE_USER" Alias="user">
<AnySite>
<AnyValue/>
</AnySite>
</AttributeRule>
<!-- Entitlements tend to be filtered per-site. -->
- <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonEntitlement">
+ <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonEntitlement"
+ Header="Shib-EP-Entitlement" Alias="entitlement">
<!--
Optional site rule that applies to any site
</Location>
#
-# Basic Attribute Mappings
-# Register attributes you wish to recognize and map them to an
-# authorization "alias" for use with require directives.
-# REMOTE_USER is a special case, suggested for use with EPPN,
-# and is automatically checked by a "require user" rule.
-# The parameter syntax is <attribute-uri> <HTTP-header> [<alias>]
-#
-ShibMapAttribute urn:mace:dir:attribute-def:eduPersonPrincipalName REMOTE_USER
-ShibMapAttribute urn:mace:dir:attribute-def:eduPersonScopedAffiliation Shib-EP-Affiliation affiliation
-ShibMapAttribute urn:mace:dir:attribute-def:eduPersonEntitlement Shib-EP-Entitlement entitlement
-
-#
# Configure a test directory
#
# You need _at least_ a "require" option for Shib to take effect for this
[shire]
logger=/opt/shibboleth/etc/shibboleth/shire.logger
-aap-uri=/opt/shibboleth/etc/shibboleth/AAP.xml
metadata=metadata_shire
[shar]
[metadata_shire]
edu.internet2.middleware.shibboleth.metadata.XML=/opt/shibboleth/etc/shibboleth/sites.xml
+edu.internet2.middleware.shibboleth.target.AAP.XML=/opt/shibboleth/etc/shibboleth/AAP.xml
[metadata_shar]
edu.internet2.middleware.shibboleth.metadata.XML=/opt/shibboleth/etc/shibboleth/sites.xml
edu.internet2.middleware.shibboleth.trust.XML=/opt/shibboleth/etc/shibboleth/trust.xml
-
-[attributes]
-# These are sample eduPerson attributes used in the InCommon pilot.
-# When defining new attributes, be sure to define them in the AAP file, if any,
-# as well as defining them to Apache or other web server.
-urn:mace:dir:attribute-def:eduPersonPrincipalName=scoped
-urn:mace:dir:attribute-def:eduPersonScopedAffiliation=scoped
-urn:mace:dir:attribute-def:eduPersonEntitlement=simple
+edu.internet2.middleware.shibboleth.target.AAP.XML=/opt/shibboleth/etc/shibboleth/AAP.xml
[policies]
# This is a sample policy URI used by the InCommon pilot origins.