AAI Attribute Changes Implementation

This page documents the changes necessary to implement changes for the latest "Attribute Specification".

The document AAI Attribute Specification specifies the attributes used in the SWITCHaai federation. This page documents the changes.

Back to the full list of AAI Attributes

Back to the list of changes

Adopting the changes from v1.3 to v1.4 (10 January 2010)

IdPs

No special changes are necessary for existing IdPs. New IdPs have the possibility to use the newly introduced values ("tertiaryb", "uppersecondary") of the HomeOrganizationType attribute.

SPs

Service Providers should check their access rules, whether they still reflect their requirements. They should make sure the use of swissEduPersonHomeOrganizationType is still appropriate as potentially new user groups have an AAI account.

Adopting the changes from v1.2 to v1.3 (23 June 2010)

IdP 2

Changes are only necessary in these cases:

  • One of the new attributes is available in your directory.
  • Your organization supports the new value "library-walk-in" for the eduPersonAffiliation attribute.
Update LDAP schema
  1. If one of the new attributes is stored in an LDAP directory, update the eduperson.schema and the swissedu.schema.

Update Shibboleth IdP configuration
  1. Configure the latest attribute-resolver.xml file from the IdP deployment guide. See below for the configuration for the "swissEduPersonCardUID" attribute.

  2. On the AAI Resource Registry, update the settings for "Supported Attributes" and "Attribute Release Information".

<!-- attribute-resolver.xml -->
<!-- ... -->
<!-- Card UID attribute -->
    <resolver:AttributeDefinition id="swissEduPersonCardUID"
      xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
      sourceAttributeID="swissEduPersonCardUID">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="SAML1String"
          xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
          name="urn:mace:switch.ch:attribute-def:swissEduPersonCardUID" />
        <resolver:AttributeEncoder xsi:type="SAML2String"
          xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
          name="urn:oid:2.16.756.1.2.5.1.1.12"
          friendlyName="swissEduPersonCardUID" />
    </resolver:AttributeDefinition>
<!-- .. -->

SP 2.x

Changes are only necessary in these cases:

  • One of the new attributes is to be used.
  • The affiliation value "library-walk-in" is to be used.
  • The eduPersonTargetedId attribute is to be used.
Update Shibboleth SP configuration files
  1. For the SP configuration, use the latest attribute-map.xml and attribute-policy.xml file of the SP configuration guide.

  2. On the AAI Resource Registry, update the settings for "Required Attributes".

SP 1.3

Official support for Shibboleth SP 1.3 ended on 30. June 2010. Upgrade to the latest Shibboleth SP 2.x.

Get the updated AAP.xml file here.

Adopting the changes from v1.1 to v1.2 (05. September 2007)

At the Identity Provider

Provided you have one of the new attributes available in your directory and want to make it available via AAI, you have to update the resolver.xml file:

Note: In order to use the swissEduPersonMatriculationNumber attribute, you must update your swissEdu LDAP schema. You can download the latest swissEdu LDAP schema from the LDAP-schemas directory.

Note: Do not forget to update the attribute availability on the Resource Registry!

<SimpleAttributeDefinition
  id="urn:mace:dir:attribute-def:uid">
    <DataConnectorDependency requires="directory" />
</SimpleAttributeDefinition>

<SimpleAttributeDefinition
  id="urn:mace:switch.ch:attribute-def:swissEduPersonMatriculationNumber">
    <DataConnectorDependency requires="directory" />
</SimpleAttributeDefinition>

<SimpleAttributeDefinition
  id="urn:mace:dir:attribute-def:employeeNumber">
    <DataConnectorDependency requires="directory" />
</SimpleAttributeDefinition>

At the Service Provider

If you have the need for one of the new attributes at your resource, you have to update the AAP.xml file:

<AttributeRule
  Name="urn:mace:dir:attribute-def:uid"
  Header="Shib-Person-uid"
  Alias="uid">
  <!-- 
  In cases where only users from a single Identity Provider access this 
  Service Provider, it may make sense to set the alias to REMOTE_USER
  -->
    <AnySite>
        <AnyValue />
    </AnySite>
</AttributeRule>

<AttributeRule
  Name="urn:mace:switch.ch:attribute-def:swissEduPersonMatriculationNumber"
  Header="Shib-SwissEP-MatriculationNumber"
  Alias="matriculationNumber">
    <AnySite>
        <AnyValue />
    </AnySite>
</AttributeRule>

<AttributeRule
  Name="urn:mace:dir:attribute-def:employeeNumber"
  Header="Shib-InetOrgPerson-employeeNumber"
  Alias="employeeNumber">
    <AnySite>
        <AnyValue />
    </AnySite>
</AttributeRule>