changes to default 'release' config

conf/attribute-filter.xml

@@ -45,34 +45,56 @@
         </AttributeRule>
     </AttributeFilterPolicy>
 	-->
+
+	<!-- Attribute release for all SPs (global) tagged as 'Research and Scholarship' -->
     <AttributeFilterPolicy id="releaseRandSAttributeBundle">
         <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
 			attributeName="http://macedir.org/entity-category"
 			attributeValue="http://refeds.org/category/research-and-scholarship"/>
         <AttributeRule attributeID="eduPersonPrincipalName">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
-
         <AttributeRule attributeID="eduPersonScopedAffiliation">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
-
         <AttributeRule attributeID="givenName">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
-
         <AttributeRule attributeID="surname">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
-
         <AttributeRule attributeID="displayName">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
-
         <AttributeRule attributeID="mail">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
-
+    </AttributeFilterPolicy>
+
+
+	<!-- Attribute release for all InCommon SPs -->
+    <AttributeFilterPolicy id="releaseToInCommon">	
+        <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+			attributeName="http://macedir.org/entity-category"
+			attributeValue="http://id.incommon.org/category/registered-by-incommon"/>
+        <AttributeRule attributeID="eduPersonPrincipalName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="eduPersonScopedAffiliation">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="givenName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="surname">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="displayName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="mail">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
     </AttributeFilterPolicy>
 
 </AttributeFilterPolicyGroup>

conf/attribute-resolver.xml

@@ -60,6 +60,12 @@
         <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
     </AttributeDefinition>
 
+	<!-- The attribute definition below is designed to represent whether a particular user is FERPA_restricted for attribute release
+	     Change the sourceAttributeID property to reflect the correct attribute name in the local LDAP -->
+    <AttributeDefinition xsi:type="Simple" id="isFERPAattr" sourceAttributeID="isFERPAattr">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML2String" name="foo:attributes:isFERPAattr" friendlyName="isFERPAattr" encodeType="false" />
+    </AttributeDefinition>
 
     <!-- ========================================== -->
     <!--      Data Connectors                       -->

conf/idp.properties

@@ -161,7 +161,7 @@ idp.authn.flows= Password
 #idp.replayCache.StorageService = shibboleth.StorageService
 
 # Toggles whether to allow outbound messages via SAML artifact
-#idp.artifact.enabled = true
+idp.artifact.enabled = false
 # Suppresses typical signing/encryption when artifact binding used
 #idp.artifact.secureChannel = true
 # May differ to direct SAML 2 artifact lookups to specific server nodes

conf/intercept/profile-intercept.xml

@@ -30,9 +30,25 @@
 
                 <bean id="intercept/terms-of-use" parent="shibboleth.consent.TermsOfUseFlow" />
 
-                <bean id="intercept/attribute-release" parent="shibboleth.consent.AttributeReleaseFlow" />
+                <bean id="intercept/attribute-release" parent="shibboleth.consent.AttributeReleaseFlow" p:activationCondition-ref="isFERPA" />
             </list>
         </property>
     </bean>
 
+	<!-- Check if the FERPA restriction attribute is set -->
+    <bean id="isFERPA" class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate">
+      <property name="attributeValueMap">
+        <map>
+            <entry key="isFERPAattr">
+                <list>
+                    <value>true</value>
+                    <value>TRUE</value>
+                    <value>YES</value>
+                    <value>yes</value>
+				</list>
+            </entry>
+        </map>
+      </property>
+    </bean>
+
 </beans>

conf/relying-party.xml

@@ -34,14 +34,16 @@
     <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
         <property name="profileConfigurations">
             <list>
-                <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" />
+                <!-- Uncomment to enable optional SAML 1.1 support -->
+				<!--<bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" />
                 <ref bean="SAML1.AttributeQuery" />
-                <ref bean="SAML1.ArtifactResolution" />
+                <ref bean="SAML1.ArtifactResolution" />-->
                 <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" />
                 <ref bean="SAML2.ECP" />
                 <ref bean="SAML2.Logout" />
-                <ref bean="SAML2.AttributeQuery" />
-                <ref bean="SAML2.ArtifactResolution" />
+				<!-- Uncomment to enable optional back-channel features -->
+				<!--<ref bean="SAML2.AttributeQuery" />
+                <ref bean="SAML2.ArtifactResolution" />-->
                 <ref bean="Liberty.SSOS" />
             </list>
         </property>