From 0ef50006a9f77de6789001dd2670a9dd263b234b Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Thu, 6 Apr 2017 12:19:50 -0500
Subject: [PATCH] changes to default 'release' config

---
 conf/attribute-filter.xml            | 34 +++++++++++++++++++++++-----
 conf/attribute-resolver.xml          |  6 +++++
 conf/idp.properties                  |  2 +-
 conf/intercept/profile-intercept.xml | 18 ++++++++++++++-
 conf/relying-party.xml               | 10 ++++----
 5 files changed, 58 insertions(+), 12 deletions(-)

diff --git a/conf/attribute-filter.xml b/conf/attribute-filter.xml
index 7186d4c..b4aaae4 100644
--- a/conf/attribute-filter.xml
+++ b/conf/attribute-filter.xml
@@ -45,6 +45,8 @@
         </AttributeRule>
     </AttributeFilterPolicy>
 	-->
+	
+	<!-- Attribute release for all SPs (global) tagged as 'Research and Scholarship' -->
     <AttributeFilterPolicy id="releaseRandSAttributeBundle">
         <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
 			attributeName="http://macedir.org/entity-category"
@@ -52,27 +54,47 @@
         <AttributeRule attributeID="eduPersonPrincipalName">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
-
         <AttributeRule attributeID="eduPersonScopedAffiliation">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
-
         <AttributeRule attributeID="givenName">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
-
         <AttributeRule attributeID="surname">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
-
         <AttributeRule attributeID="displayName">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
-
         <AttributeRule attributeID="mail">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
-
+    </AttributeFilterPolicy>
+	
+	
+	<!-- Attribute release for all InCommon SPs -->
+    <AttributeFilterPolicy id="releaseToInCommon">	
+        <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+			attributeName="http://macedir.org/entity-category"
+			attributeValue="http://id.incommon.org/category/registered-by-incommon"/>
+        <AttributeRule attributeID="eduPersonPrincipalName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="eduPersonScopedAffiliation">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="givenName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="surname">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="displayName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+        <AttributeRule attributeID="mail">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
     </AttributeFilterPolicy>
 	
 </AttributeFilterPolicyGroup>
diff --git a/conf/attribute-resolver.xml b/conf/attribute-resolver.xml
index 04e502f..00d5d11 100644
--- a/conf/attribute-resolver.xml
+++ b/conf/attribute-resolver.xml
@@ -60,6 +60,12 @@
         <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
     </AttributeDefinition>
 
+	<!-- The attribute definition below is designed to represent whether a particular user is FERPA_restricted for attribute release
+	     Change the sourceAttributeID property to reflect the correct attribute name in the local LDAP -->
+    <AttributeDefinition xsi:type="Simple" id="isFERPAattr" sourceAttributeID="isFERPAattr">
+        <Dependency ref="myLDAP" />
+        <AttributeEncoder xsi:type="SAML2String" name="foo:attributes:isFERPAattr" friendlyName="isFERPAattr" encodeType="false" />
+    </AttributeDefinition>
 
     <!-- ========================================== -->
     <!--      Data Connectors                       -->
diff --git a/conf/idp.properties b/conf/idp.properties
index aa8e5e5..d7cfea7 100644
--- a/conf/idp.properties
+++ b/conf/idp.properties
@@ -161,7 +161,7 @@ idp.authn.flows= Password
 #idp.replayCache.StorageService = shibboleth.StorageService
 
 # Toggles whether to allow outbound messages via SAML artifact
-#idp.artifact.enabled = true
+idp.artifact.enabled = false
 # Suppresses typical signing/encryption when artifact binding used
 #idp.artifact.secureChannel = true
 # May differ to direct SAML 2 artifact lookups to specific server nodes
diff --git a/conf/intercept/profile-intercept.xml b/conf/intercept/profile-intercept.xml
index 4040a10..87854cb 100644
--- a/conf/intercept/profile-intercept.xml
+++ b/conf/intercept/profile-intercept.xml
@@ -30,9 +30,25 @@
         
                 <bean id="intercept/terms-of-use" parent="shibboleth.consent.TermsOfUseFlow" />
         
-                <bean id="intercept/attribute-release" parent="shibboleth.consent.AttributeReleaseFlow" />
+                <bean id="intercept/attribute-release" parent="shibboleth.consent.AttributeReleaseFlow" p:activationCondition-ref="isFERPA" />
             </list>
         </property>
     </bean>
 
+	<!-- Check if the FERPA restriction attribute is set -->
+    <bean id="isFERPA" class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate">
+      <property name="attributeValueMap">
+        <map>
+            <entry key="isFERPAattr">
+                <list>
+                    <value>true</value>
+                    <value>TRUE</value>
+                    <value>YES</value>
+                    <value>yes</value>
+				</list>
+            </entry>
+        </map>
+      </property>
+    </bean>
+
 </beans>
diff --git a/conf/relying-party.xml b/conf/relying-party.xml
index 28c9193..9809137 100644
--- a/conf/relying-party.xml
+++ b/conf/relying-party.xml
@@ -34,14 +34,16 @@
     <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
         <property name="profileConfigurations">
             <list>
-                <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" />
+                <!-- Uncomment to enable optional SAML 1.1 support -->
+				<!--<bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" />
                 <ref bean="SAML1.AttributeQuery" />
-                <ref bean="SAML1.ArtifactResolution" />
+                <ref bean="SAML1.ArtifactResolution" />-->
                 <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" />
                 <ref bean="SAML2.ECP" />
                 <ref bean="SAML2.Logout" />
-                <ref bean="SAML2.AttributeQuery" />
-                <ref bean="SAML2.ArtifactResolution" />
+				<!-- Uncomment to enable optional back-channel features -->
+				<!--<ref bean="SAML2.AttributeQuery" />
+                <ref bean="SAML2.ArtifactResolution" />-->
                 <ref bean="Liberty.SSOS" />
             </list>
         </property>