NIEF Wiki - User contributions [en]

Shibboleth IDP4 Notes

2022-05-24T18:23:06Z

Gtkrug: /* Sample Attribute Resolver */

==About==
Just some notes about Shibboleth IDP4 based on discussions with Texas DPS.

==Changes==
An important change is that Shibboleth IDP 4 has a new '''secrets.properties''' file within the credentials directory. This file will override credentials that are put into the properties file in the config file likely leading to problems. Be sure to migrate service credentials into this properties file.

== Sample attribute-filter ==
The following attribute filter is designed to release all NIEF Mandatory, NIEF Highly Recommended, and NIEF Recommended attributes to all partners. It assumes the attributeIDs as defined within the NIEF Attribute Definitions for Shibboleth 4, seen below.

<AttributeFilterPolicy id="releaseNIEFAttributes">
<PolicyRequirementRule xsi:type="ANY" />
<AttributeRule attributeID="niefEmail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefEmployer">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefFedId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefGivenName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIdentityProviderId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefSurName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefTelephoneNumber">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIdentityProviderId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefUniqueSubjectId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="nief28CFR">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefElectronicAuthenticationAssuranceLevelCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefORI">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefEmployerOrganizationGeneralCategoryCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefEmployerStateCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIdentityProofingAssuranceLevelCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefPSO">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefSLEO">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefAAL">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefFAL">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIAL">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIntelligenceAnalystIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefDisplayName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefGovernmentDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefLocalId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefNCICCertificationIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefNDExPrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefPCIICertificationIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefFICAMAssuranceLevelCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>

== Attribute Definitions ==
Add the [[NIEF Attribute Defintions]] to your Shibboleth 4 IDP and then reference the below table when resolving NIEF attributes within the attribute-resolver.xml:

{|class="wikitable"
!Id Within attribute-resolver.xml
!Attribute Name
!URL
|-
!colspan="3"|NIEF Mandatory
|-
|niefEmail
|Email Address Text
|https://nief.org/attribute-registry/attributes/user/gfipm/EmailAddressText/2.0
|-
|niefEmployer
|Employer Name
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerName/2.0
|-
|niefFedId
|Federation Id
|https://nief.org/attribute-registry/attributes/user/gfipm/FederationId/2.0
|-
|niefGivenName
|Given Name
|https://nief.org/attribute-registry/attributes/user/gfipm/GivenName/2.0
|-
|niefIdentityProviderId
|Identity Provider Id
|https://nief.org/attribute-registry/attributes/user/gfipm/IdentityProviderId/2.0
|-
|niefSurName
|Sur Name
|https://nief.org/attribute-registry/attributes/user/gfipm/SurName/2.0
|-
|niefTelephoneNumber
|Telephone Number
|https://nief.org/attribute-registry/attributes/user/gfipm/TelephoneNumber/2.0
|-
|niefIdentityProviderId
|Identity Provider Id
|https://nief.org/attribute-registry/attributes/user/nief/IdentityProviderId/1.0
|-
|niefUniqueSubjectId
|Unique Subject Id
|https://nief.org/attribute-registry/attributes/user/nief/UniqueSubjectId/1.0
|-
!colspan="3"|NIEF Highly Recommended
|-
|nief28CFR
|28 CFR Certification Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/28CFRCertificationIndicator/2.0
|-
|niefElectronicAuthenticationAssuranceLevelCode
|Electronic Authentication Assurance Level Code
|https://nief.org/attribute-registry/attributes/user/gfipm/ElectronicAuthenticationAssuranceLevelCode/2.0
|-
|niefORI
|Employer ORI
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerORI/2.0
|-
|niefEmployerOrganizationGeneralCategoryCode
|Employer Organization General Category Code
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerOrganizationGeneralCategoryCode/2.0
|-
|niefEmployerStateCode
|Employer State Code
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerStateCode/2.0
|-
|niefIdentityProofingAssuranceLevelCode
|Identity Proofing Assurance Level Code
|https://nief.org/attribute-registry/attributes/user/gfipm/IdentityProofingAssuranceLevelCode/2.0
|-
|niefPSO
|Public Safety Officer Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/PublicSafetyOfficerIndicator/2.0
|-
|niefSLEO
|Sworn Law Enforcement Officer Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/SwornLawEnforcementOfficerIndicator/2.0
|-
|niefAAL
|Authenticator Assurance Level
|https://nief.org/attribute-registry/attributes/user/nief/AuthenticatorAssuranceLevel/1.0
|-
|niefFAL
|Federation Assurance Level
|https://nief.org/attribute-registry/attributes/user/nief/FederationAssuranceLevel/1.0
|-
|niefIAL
|Identity Assurance Level
|https://nief.org/attribute-registry/attributes/user/nief/IdentityAssuranceLevel/1.0
|-
!colspan="3"|NIEF Recommended
|-
|niefIntelligenceAnalystIndicator
|Intelligence Analyst Indicator
|https://nief.org/attribute-registry/attributes/user/nief/IntelligenceAnalystIndicator/1.0
|-
|niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator
|Counter Terrorism Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CounterTerrorismDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator
|Criminal History Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CriminalHistoryDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator
|Criminal Intelligence Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CriminalIntelligenceDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator
|Criminal Investigative Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CriminalInvestigativeDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefDisplayName
|Display Name
|https://nief.org/attribute-registry/attributes/user/gfipm/DisplayName/2.0
|-
|niefGovernmentDataSelfSearchHomePrivilegeIndicator
|Government Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/GovernmentDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefLocalId
|Local Id
|https://nief.org/attribute-registry/attributes/user/gfipm/LocalId/2.0
|-
|niefNCICCertificationIndicator
|NCIC Certification Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/NCICCertificationIndicator/2.0
|-
|niefNDExPrivilegeIndicator
|NDEx Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/NDExPrivilegeIndicator/2.0
|-
|niefPCIICertificationIndicator
|PCII Certification Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/PCIICertificationIndicator/2.0
|-
|niefFICAMAssuranceLevelCode
|FICAM Assurance Level Code
|https://nief.org/attribute-registry/attributes/user/nief/FICAMAssuranceLevelCode/1.0

|}

== Sample Attribute Resolver ==
This sample attribute resolver uses the NIEF Attribute Definitions above. The "Simple" data connector type is a custom data connector that reads attributes from files on the filesystem. The dataconnectors are also specified in this same file, but that is not included in this sample. This requires specific attribute ids, that is how the attribute definition is applied to the attribute:



<AttributeDefinition id="recipientId" xsi:type="ScriptedAttribute" >
<Script> <![CDATA[
recipientIdString = requestContext.getPeerEntityId();
recipientId.addValue(recipientIdString);
]]></Script>
</AttributeDefinition>
<AttributeDefinition id="nief28CFR" xsi:type="Simple" >
<InputDataConnector ref="File" attributeNames="CFRCertified"/>
</AttributeDefinition>
<AttributeDefinition id="niefEmail" xsi:type="Simple" >
<InputDataConnector ref="File" attributeNames="email"/>
</AttributeDefinition>
<AttributeDefinition id="niefGivenName" xsi:type="Simple" >
<InputDataConnector ref="File" attributeNames="firstname"/>
</AttributeDefinition>
<AttributeDefinition id="niefSurName" xsi:type="Simple" >
<InputDataConnector ref="File" attributeNames="lastname"/>
</AttributeDefinition>
<AttributeDefinition id="niefIdentityProviderId" xsi:type="Template" >
<InputDataConnector ref="staticAttributes" attributeNames="orgid"/>
<Template>
<![CDATA[
NIEF:IDP:${orgid}
]]>
</Template>
</AttributeDefinition>
<AttributeDefinition id="niefEmployer" xsi:type="Simple" >
<InputDataConnector ref="staticAttributes" attributeNames="employer"/>
</AttributeDefinition>
<AttributeDefinition id="niefFedId" xsi:type="Template" >
<InputDataConnector ref="staticAttributes" attributeNames="orgid"/>
<InputDataConnector ref="File" attributeNames="email"/>
<Template>
<![CDATA[
NIEF:IDP:${orgid}:USER:${email}
]]>
</Template>
</AttributeDefinition>
<AttributeDefinition id="niefAAL" xsi:type="Simple" >
<InputDataConnector ref="File" attributeNames="aal"/>
</AttributeDefinition>
<AttributeDefinition id="niefIAL" xsi:type="Simple" >
<InputDataConnector ref="File" attributeNames="ial"/>
</AttributeDefinition>
<AttributeDefinition id="niefORI" xsi:type="Simple" >
<InputDataConnector ref="File" attributeNames="ori"/>
</AttributeDefinition>
<AttributeDefinition id="niefPSO" xsi:type="Simple" >
<InputDataConnector ref="File" attributeNames="pso"/>
</AttributeDefinition>
<AttributeDefinition id="niefSLEO" xsi:type="Simple" >
<InputDataConnector ref="File" attributeNames="sleo"/>
</AttributeDefinition>

=== Dataconnectors ===
Data connectors looks close to the same as Shibboleth 3, note the '''InputAttributeDefintion''' field is used instead of the old '''Dependency''' concept in Shib3. Here are three sample data connectors, two are built-in 'static' and 'HTTP', while 'Simple' is the one GTRI created that serves from the filesystem:

<DataConnector id="staticAttributes" xsi:type="Static">
<Attribute id="employer">
<Value>Texas National Guard (DEMO)</Value>
</Attribute>
<Attribute id="orgid">
<Value>tng-interop-idp</Value>
</Attribute>
</DataConnector>

<DataConnector id="File" xsi:type="txdps:Test"
pathToAttributeFiles="/opt/shibboleth-idp/users/"
uidAttribute="uid">
<InputAttributeDefinition ref="uid" />
</DataConnector>

<DataConnector id="iirHTTP" xsi:type="HTTP"
httpClientRef="shibboleth.NonCachingHttpClient">
<InputAttributeDefinition ref="niefEmail" />
<URLTemplate>
<![CDATA[
https://tca.iir.com/api/LookupTestCompleted?code=D7utRK84NO8sDTYRjh0UGP3fNXLjrH96FMlKs21YqcBpyTeZp6k/rw==
]]>
</URLTemplate>
<BodyTemplate MIMEType="application/json">
<![CDATA[
{ 'email': '$niefEmail.get(0)' }
]]>
</BodyTemplate>
<ResponseMapping>
<Script>
<![CDATA[
var logger = Java.type("org.slf4j.LoggerFactory").getLogger("net.shibboleth.idp.attribute");
var HashSet = Java.type("java.util.HashSet");
var HttpClientSupport = Java.type("net.shibboleth.utilities.java.support.httpclient.HttpClientSupport");
var IdPAttribute = Java.type("net.shibboleth.idp.attribute.IdPAttribute");
var StringAttributeValue = Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
// Limits length to 64k
var body = HttpClientSupport.toString(response.getEntity(), "UTF-8", 65536);
logger.info("Query Response = " + body);
var result = JSON.parse(body);
//logger.info("Parsed JSON Completed = " + result.completed);
var attr = new IdPAttribute("CFRCertified");
var values = new HashSet();
if (result.completed) {
values.add(new StringAttributeValue("true"));
} else {
values.add(new StringAttributeValue("false"));
}
attr.setValues(values);
connectorResults.add(attr);
]]>
</Script>
</ResponseMapping>
<ResultCache expireAfterWrite="PT5M"/>
</DataConnector>

== Metadata Providers ==
The following are sample metadata providers that are useful for systems that are working with NIEF. The first is a sample of the NIEF Production metadata provider and the second is an example of the NIEF Testbed provider. In both cases the associated certificate would need to be downloaded and put into the credentials directory for this provider to work:
* [[https://nief.org/trust-fabric/nief-ca.crt NIEF CA Cert]]
* [[https://ref.gfipm.net/ref-gfipm-ca.crt NIEF Testbed Cert]]

=== NIEF Metadata Provider (Production) ===

<MetadataProvider id="NiefMetadata" xsi:type="FileBackedHTTPMetadataProvider" backingFile="%{idp.home}/metadata/nief-metadata.xml" metadataURL="https://nief.org/trust-fabric/nief-trust-fabric.xml">
<MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/nief-ca.cer" />
<MetadataFilter xsi:type="EntityRole">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>

=== NIEF Testbed Metadata Provider ===

<MetadataProvider id="HTTPMetadata"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/localCopyFromNIEFTestbed.xml"
metadataURL="https://ref.gfipm.net/gfipm-signed-ref-metadata.xml">
<MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/gfipm-ca.pem" />
<MetadataFilter xsi:type="EntityRole">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>

== Data Connector Information ==

Shibboleth 4 supports more DataConnector types than previous versions of Shibbboleth.

=== HTTPConnector ===
Shibboleth Documentation on this connector: https://wiki.shibboleth.net/confluence/display/IDP4/HTTPConnector

GTRI created a sample HTTPConnector that implementes the IIR protocol: https://wiki.nief.org/wiki/Shibboleth_HTTP_Dataconnector

== Ongoing Notes ==
[[Create a NIEF Attribute Registry]]

Selinux Tips

2022-01-11T20:42:44Z

Gtkrug: /* Proxying */

==About==
This page just has a few Selinux tips/reminders

==File Access==
If selinux is blocking access to files that httpd should be able to read it may be they are missing selinux flags:

'''semanage fcontext -a -t httpd_sys_content_t "[FILE OR PATH]"'''

==Proxying==

When proxying backend services with httpd, you typically need to do two things:

* Allow http to make connections: '''setsebool -P httpd_can_network_connect on'''
* Allow the ports for your backend connections: '''semanage port -a -t http_port_t -p tcp ####'''

Selinux Tips

2021-05-13T19:00:33Z

Gtkrug: /* Proxying */

==About==
This page just has a few Selinux tips/reminders

==Proxying==

When proxying backend services with httpd, you typically need to do two things:

* Allow http to make connections: '''setsebool -P httpd_can_network_connect on'''
* Allow the ports for your backend connections: '''semanage port -a -t http_port_t -p tcp ####'''

Selinux Tips

2021-05-13T19:00:06Z

Gtkrug: Created page with "==About== This page just has a few Selinux tips/reminders ==Proxying== When proxying backend services with httpd, you typically need to do two things: * Allow http to make..."

==About==
This page just has a few Selinux tips/reminders

==Proxying==

When proxying backend services with httpd, you typically need to do two things:

* Allow http to make connections: ''setsebool -P httpd_can_network_connect on''
* Allow the ports for your backend connections: ''semanage port -a -t http_port_t -p tcp ####''

NIEF Implementers Wiki

2021-05-13T18:58:13Z

Gtkrug: /* Detailed Articles */

== Getting started ==
* [[How to Implement a NIEF Identity Provider]]
* [[How to Implement a NIEF Service Provider]]

== Detailed Articles ==
* [[Legacy Information]]
* [[NIEF Testbed]]
* [[ADFS 3.0 Configuration Guide]]
* [[F5 Implementation]]
* [[SecureAuth Implementation]]
* [[NetIQ Access Manager]]
* [[Simple SAML PHP]]
* [[Generating Certificates with OpenSSL]]
* [[ASP.NET Shibboleth Debug]]
* [[Editing SAML2 Metadata]]
* [[Shibboleth IDP3 Notes]]
* [[MITREid Connect]]
* [[NIEF Attributes within OIDC]]
* [[OIDC RP]]
* [[PIV-I Identity Provider]]
* [[FIDO/GLUU Identity Provider]]
* [[FIDO Credential Lifecycle Guide]]
* [[Shibboleth IDP4 Notes]]
* [[Selinux Tips]]

Shibboleth HTTP Dataconnector

2021-05-10T17:40:37Z

Gtkrug: /* IIR Sample */

==About==
This is a sample of the [https://wiki.shibboleth.net/confluence/display/IDP30/HTTPConnector Shibboleth HTTP DataConnector].

==IIR Sample==
The URL seen on line 6 is a test URL that always returns false. You will also need to contact IIR to get an authorization code to use the service.
<nowiki><DataConnector id="myHTTP" xsi:type="HTTP"
httpClientRef="shibboleth.NonCachingHttpClient">
<InputAttributeDefinition ref="EmailAddress" />
<URLTemplate>
<![CDATA[
https://tca.iir.com/api/LookupTestNotCompleted?code=[get code from IIR]
]]>
</URLTemplate>

<BodyTemplate MIMEType="application/json">
<![CDATA[
{ 'email': '$EmailAddress.get(0)' }
]]>
</BodyTemplate>

<ResponseMapping>
<Script>
<![CDATA[
var logger = Java.type("org.slf4j.LoggerFactory").getLogger("net.shibboleth.idp.attribute");

var HashSet = Java.type("java.util.HashSet");
var HttpClientSupport = Java.type("net.shibboleth.utilities.java.support.httpclient.HttpClientSupport");
var IdPAttribute = Java.type("net.shibboleth.idp.attribute.IdPAttribute");
var StringAttributeValue = Java.type("net.shibboleth.idp.attribute.StringAttributeValue");

// Limits length to 64k
var body = HttpClientSupport.toString(response.getEntity(), "UTF-8", 65536);

logger.info("Query Response = " + body);

var result = JSON.parse(body);

//logger.info("Parsed JSON Completed = " + result.completed);

var attr = new IdPAttribute("CFRCertified");
var values = new HashSet();
if (result.completed) {
values.add(new StringAttributeValue("true"));
} else {
values.add(new StringAttributeValue("false"));
}
attr.setValues(values);
connectorResults.add(attr);
]]>
</Script>
</ResponseMapping>

<ResultCache expireAfterWrite="PT45M"/>
</DataConnector></nowiki>

'''shibboleth.NonCachingHttpClient''' triggers a deprecation warning, but currently it's unclear what should replace this client, so we have not updated these instructions at this time.

Shibboleth IDP4 Notes

2021-05-06T19:11:19Z

Gtkrug: /* Sample attribute-filter */

Shibboleth IDP4 Notes

2021-05-06T19:10:46Z

Gtkrug: /* Changes */

Shibboleth IDP4 Notes

2021-05-06T19:10:18Z

Gtkrug: /* About */

==About==
Just some notes about Shibboleth IDP4 based on discussions with Texas DPS.

==Changes==
An important change is that Shibboleth IDP 4 has a new '''secret.properties''' file within the credentials directory. This file will override credentials that are put into the properties file in the config file likely leading to problems. Be sure to migrate service credentials into this properties file.

== Sample attribute-filter ==
The following attribute filter is designed to release all NIEF Mandatory, NIEF Highly Recommended, and NIEF Recommended attributes to all partners. It assumes the attributeIDs as defined within the NIEF Attribute Definitions for Shibboleth 4, seen below.

<AttributeFilterPolicy id="releaseAll">
<PolicyRequirementRule xsi:type="ANY" />
<AttributeRule attributeID="niefEmail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefEmployer">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefFedId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefGivenName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIdentityProviderId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefSurName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefTelephoneNumber">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIdentityProviderId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefUniqueSubjectId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="nief28CFR">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefElectronicAuthenticationAssuranceLevelCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefORI">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefEmployerOrganizationGeneralCategoryCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefEmployerStateCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIdentityProofingAssuranceLevelCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefPSO">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefSLEO">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefAAL">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefFAL">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIAL">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIntelligenceAnalystIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefDisplayName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefGovernmentDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefLocalId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefNCICCertificationIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefNDExPrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefPCIICertificationIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefFICAMAssuranceLevelCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>

== Attribute Definitions ==
Add the [[NIEF Attribute Defintions]] to your Shibboleth 4 IDP and then reference the below table when resolving NIEF attributes within the attribute-resolver.xml:

{|class="wikitable"
!Id Within attribute-resolver.xml
!Attribute Name
!URL
|-
!colspan="3"|NIEF Mandatory
|-
|niefEmail
|Email Address Text
|https://nief.org/attribute-registry/attributes/user/gfipm/EmailAddressText/2.0
|-
|niefEmployer
|Employer Name
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerName/2.0
|-
|niefFedId
|Federation Id
|https://nief.org/attribute-registry/attributes/user/gfipm/FederationId/2.0
|-
|niefGivenName
|Given Name
|https://nief.org/attribute-registry/attributes/user/gfipm/GivenName/2.0
|-
|niefIdentityProviderId
|Identity Provider Id
|https://nief.org/attribute-registry/attributes/user/gfipm/IdentityProviderId/2.0
|-
|niefSurName
|Sur Name
|https://nief.org/attribute-registry/attributes/user/gfipm/SurName/2.0
|-
|niefTelephoneNumber
|Telephone Number
|https://nief.org/attribute-registry/attributes/user/gfipm/TelephoneNumber/2.0
|-
|niefIdentityProviderId
|Identity Provider Id
|https://nief.org/attribute-registry/attributes/user/nief/IdentityProviderId/1.0
|-
|niefUniqueSubjectId
|Unique Subject Id
|https://nief.org/attribute-registry/attributes/user/nief/UniqueSubjectId/1.0
|-
!colspan="3"|NIEF Highly Recommended
|-
|nief28CFR
|28 CFR Certification Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/28CFRCertificationIndicator/2.0
|-
|niefElectronicAuthenticationAssuranceLevelCode
|Electronic Authentication Assurance Level Code
|https://nief.org/attribute-registry/attributes/user/gfipm/ElectronicAuthenticationAssuranceLevelCode/2.0
|-
|niefORI
|Employer ORI
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerORI/2.0
|-
|niefEmployerOrganizationGeneralCategoryCode
|Employer Organization General Category Code
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerOrganizationGeneralCategoryCode/2.0
|-
|niefEmployerStateCode
|Employer State Code
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerStateCode/2.0
|-
|niefIdentityProofingAssuranceLevelCode
|Identity Proofing Assurance Level Code
|https://nief.org/attribute-registry/attributes/user/gfipm/IdentityProofingAssuranceLevelCode/2.0
|-
|niefPSO
|Public Safety Officer Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/PublicSafetyOfficerIndicator/2.0
|-
|niefSLEO
|Sworn Law Enforcement Officer Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/SwornLawEnforcementOfficerIndicator/2.0
|-
|niefAAL
|Authenticator Assurance Level
|https://nief.org/attribute-registry/attributes/user/nief/AuthenticatorAssuranceLevel/1.0
|-
|niefFAL
|Federation Assurance Level
|https://nief.org/attribute-registry/attributes/user/nief/FederationAssuranceLevel/1.0
|-
|niefIAL
|Identity Assurance Level
|https://nief.org/attribute-registry/attributes/user/nief/IdentityAssuranceLevel/1.0
|-
!colspan="3"|NIEF Recommended
|-
|niefIntelligenceAnalystIndicator
|Intelligence Analyst Indicator
|https://nief.org/attribute-registry/attributes/user/nief/IntelligenceAnalystIndicator/1.0
|-
|niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator
|Counter Terrorism Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CounterTerrorismDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator
|Criminal History Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CriminalHistoryDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator
|Criminal Intelligence Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CriminalIntelligenceDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator
|Criminal Investigative Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CriminalInvestigativeDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefDisplayName
|Display Name
|https://nief.org/attribute-registry/attributes/user/gfipm/DisplayName/2.0
|-
|niefGovernmentDataSelfSearchHomePrivilegeIndicator
|Government Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/GovernmentDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefLocalId
|Local Id
|https://nief.org/attribute-registry/attributes/user/gfipm/LocalId/2.0
|-
|niefNCICCertificationIndicator
|NCIC Certification Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/NCICCertificationIndicator/2.0
|-
|niefNDExPrivilegeIndicator
|NDEx Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/NDExPrivilegeIndicator/2.0
|-
|niefPCIICertificationIndicator
|PCII Certification Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/PCIICertificationIndicator/2.0
|-
|niefFICAMAssuranceLevelCode
|FICAM Assurance Level Code
|https://nief.org/attribute-registry/attributes/user/nief/FICAMAssuranceLevelCode/1.0

|}

== GFIPM Reference Fed Metadata Provider ==

<MetadataProvider id="HTTPMetadata"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/localCopyFromNIEFTestbed.xml"
metadataURL="https://ref.gfipm.net/gfipm-signed-ref-metadata.xml">
<MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/gfipm-ca.pem" />
<MetadataFilter xsi:type="EntityRole">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>

== Data Connector Information ==

Shibboleth 4 supports more DataConnector types than previous versions of Shibbboleth.

=== HTTPConnector ===
Shibboleth Documentation on this connector: https://wiki.shibboleth.net/confluence/display/IDP4/HTTPConnector

GTRI created a sample HTTPConnector that implementes the IIR protocol: https://wiki.nief.org/wiki/Shibboleth_HTTP_Dataconnector

== Ongoing Notes ==
[[Create a NIEF Attribute Registry]]

Shibboleth HTTP Dataconnector

2021-05-06T18:04:27Z

Gtkrug: /* IIR Sample */

Shibboleth IDP4 Notes

2021-05-06T18:01:39Z

Gtkrug: /* GFIPM Reference Fed Metadata Provider */

==About==
Just some notes about Shibboleth IDP4 based on discussions with Texas DPS.

== Sample attribute-filter ==
The following attribute filter is designed to release all NIEF Mandatory, NIEF Highly Recommended, and NIEF Recommended attributes to all partners. It assumes the attributeIDs as defined within the NIEF Attribute Definitions for Shibboleth 4, seen below.

<AttributeFilterPolicy id="releaseAll">
<PolicyRequirementRule xsi:type="ANY" />
<AttributeRule attributeID="niefEmail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefEmployer">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefFedId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefGivenName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIdentityProviderId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefSurName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefTelephoneNumber">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIdentityProviderId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefUniqueSubjectId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="nief28CFR">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefElectronicAuthenticationAssuranceLevelCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefORI">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefEmployerOrganizationGeneralCategoryCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefEmployerStateCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIdentityProofingAssuranceLevelCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefPSO">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefSLEO">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefAAL">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefFAL">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIAL">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIntelligenceAnalystIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefDisplayName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefGovernmentDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefLocalId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefNCICCertificationIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefNDExPrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefPCIICertificationIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefFICAMAssuranceLevelCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>

== Attribute Definitions ==
Add the [[NIEF Attribute Defintions]] to your Shibboleth 4 IDP and then reference the below table when resolving NIEF attributes within the attribute-resolver.xml:

{|class="wikitable"
!Id Within attribute-resolver.xml
!Attribute Name
!URL
|-
!colspan="3"|NIEF Mandatory
|-
|niefEmail
|Email Address Text
|https://nief.org/attribute-registry/attributes/user/gfipm/EmailAddressText/2.0
|-
|niefEmployer
|Employer Name
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerName/2.0
|-
|niefFedId
|Federation Id
|https://nief.org/attribute-registry/attributes/user/gfipm/FederationId/2.0
|-
|niefGivenName
|Given Name
|https://nief.org/attribute-registry/attributes/user/gfipm/GivenName/2.0
|-
|niefIdentityProviderId
|Identity Provider Id
|https://nief.org/attribute-registry/attributes/user/gfipm/IdentityProviderId/2.0
|-
|niefSurName
|Sur Name
|https://nief.org/attribute-registry/attributes/user/gfipm/SurName/2.0
|-
|niefTelephoneNumber
|Telephone Number
|https://nief.org/attribute-registry/attributes/user/gfipm/TelephoneNumber/2.0
|-
|niefIdentityProviderId
|Identity Provider Id
|https://nief.org/attribute-registry/attributes/user/nief/IdentityProviderId/1.0
|-
|niefUniqueSubjectId
|Unique Subject Id
|https://nief.org/attribute-registry/attributes/user/nief/UniqueSubjectId/1.0
|-
!colspan="3"|NIEF Highly Recommended
|-
|nief28CFR
|28 CFR Certification Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/28CFRCertificationIndicator/2.0
|-
|niefElectronicAuthenticationAssuranceLevelCode
|Electronic Authentication Assurance Level Code
|https://nief.org/attribute-registry/attributes/user/gfipm/ElectronicAuthenticationAssuranceLevelCode/2.0
|-
|niefORI
|Employer ORI
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerORI/2.0
|-
|niefEmployerOrganizationGeneralCategoryCode
|Employer Organization General Category Code
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerOrganizationGeneralCategoryCode/2.0
|-
|niefEmployerStateCode
|Employer State Code
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerStateCode/2.0
|-
|niefIdentityProofingAssuranceLevelCode
|Identity Proofing Assurance Level Code
|https://nief.org/attribute-registry/attributes/user/gfipm/IdentityProofingAssuranceLevelCode/2.0
|-
|niefPSO
|Public Safety Officer Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/PublicSafetyOfficerIndicator/2.0
|-
|niefSLEO
|Sworn Law Enforcement Officer Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/SwornLawEnforcementOfficerIndicator/2.0
|-
|niefAAL
|Authenticator Assurance Level
|https://nief.org/attribute-registry/attributes/user/nief/AuthenticatorAssuranceLevel/1.0
|-
|niefFAL
|Federation Assurance Level
|https://nief.org/attribute-registry/attributes/user/nief/FederationAssuranceLevel/1.0
|-
|niefIAL
|Identity Assurance Level
|https://nief.org/attribute-registry/attributes/user/nief/IdentityAssuranceLevel/1.0
|-
!colspan="3"|NIEF Recommended
|-
|niefIntelligenceAnalystIndicator
|Intelligence Analyst Indicator
|https://nief.org/attribute-registry/attributes/user/nief/IntelligenceAnalystIndicator/1.0
|-
|niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator
|Counter Terrorism Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CounterTerrorismDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator
|Criminal History Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CriminalHistoryDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator
|Criminal Intelligence Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CriminalIntelligenceDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator
|Criminal Investigative Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CriminalInvestigativeDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefDisplayName
|Display Name
|https://nief.org/attribute-registry/attributes/user/gfipm/DisplayName/2.0
|-
|niefGovernmentDataSelfSearchHomePrivilegeIndicator
|Government Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/GovernmentDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefLocalId
|Local Id
|https://nief.org/attribute-registry/attributes/user/gfipm/LocalId/2.0
|-
|niefNCICCertificationIndicator
|NCIC Certification Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/NCICCertificationIndicator/2.0
|-
|niefNDExPrivilegeIndicator
|NDEx Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/NDExPrivilegeIndicator/2.0
|-
|niefPCIICertificationIndicator
|PCII Certification Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/PCIICertificationIndicator/2.0
|-
|niefFICAMAssuranceLevelCode
|FICAM Assurance Level Code
|https://nief.org/attribute-registry/attributes/user/nief/FICAMAssuranceLevelCode/1.0

|}

== GFIPM Reference Fed Metadata Provider ==

<MetadataProvider id="HTTPMetadata"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/localCopyFromNIEFTestbed.xml"
metadataURL="https://ref.gfipm.net/gfipm-signed-ref-metadata.xml">
<MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/gfipm-ca.pem" />
<MetadataFilter xsi:type="EntityRole">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>

== Data Connector Information ==

Shibboleth 4 supports more DataConnector types than previous versions of Shibbboleth.

=== HTTPConnector ===
Shibboleth Documentation on this connector: https://wiki.shibboleth.net/confluence/display/IDP4/HTTPConnector

GTRI created a sample HTTPConnector that implementes the IIR protocol: https://wiki.nief.org/wiki/Shibboleth_HTTP_Dataconnector

== Ongoing Notes ==
[[Create a NIEF Attribute Registry]]

Create a NIEF Attribute Registry

2021-05-06T02:24:27Z

Gtkrug: /* Sample */

== About ==
Shibboleth 4 has a concept of Attribute Definitions distinct from Resolution and Filtering. We should generate a conformant XML version representing the NIEF Bundles.

== Sample ==
Here is a sample from Shib 4 install:

<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">eduPersonOrcid</prop>
<prop key="transcoder">SAML2StringTranscoder SAML1StringTranscoder</prop>
<prop key="saml2.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.16</prop>
<prop key="saml1.name">urn:oid:1.3.6.1.4.1.5923.1.1.1.16</prop>
<prop key="displayName.en">ORCID</prop>
<prop key="description.en">ORCID researcher identifier(s) belonging to a person.</prop>
</props>
</property>
</bean>

== Template ==
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">InternalAttributeName</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">gfipm:2.0:user:blah</prop>
<prop key="displayName.en">Attribute Name</prop>
<prop key="description.en">Attribute Definition.</prop>
</props>
</property>
</bean>

== NIEF File ==
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefEmail</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">gfipm:2.0:user:EmailAddressText</prop>
<prop key="displayName.en">Email Address Text</prop>
<prop key="description.en">Email Address Text</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefEmployer</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">gfipm:2.0:user:EmployerName</prop>
<prop key="displayName.en">Employer Name</prop>
<prop key="description.en">Employer Name</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefFedId</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">gfipm:2.0:user:FederationId</prop>
<prop key="displayName.en">Federation Id</prop>
<prop key="description.en">Federation Id</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefGivenName</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">gfipm:2.0:user:GivenName</prop>
<prop key="displayName.en">Given Name</prop>
<prop key="description.en">Given Name</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefIdentityProviderId</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">gfipm:2.0:user:IdentityProviderId</prop>
<prop key="displayName.en">Identity Provider Id</prop>
<prop key="description.en">Identity Provider Id</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefSurName</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">gfipm:2.0:user:SurName</prop>
<prop key="displayName.en">Sur Name</prop>
<prop key="description.en">Sur Name</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefTelephoneNumber</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">gfipm:2.0:user:TelephoneNumber</prop>
<prop key="displayName.en">Telephone Number</prop>
<prop key="description.en">Telephone Number</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefIdentityProviderId</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">nief:1.0:user:IdentityProviderId</prop>
<prop key="displayName.en">Identity Provider Id</prop>
<prop key="description.en">Identity Provider Id</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefUniqueSubjectId</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">nief:1.0:user:UniqueSubjectId</prop>
<prop key="displayName.en">Unique Subject Id</prop>
<prop key="description.en">Unique Subject Id</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">nief28CFR</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">gfipm:2.0:user:28CFRCertificationIndicator</prop>
<prop key="displayName.en">28 CFR Certification Indicator</prop>
<prop key="description.en">28 CFR Certification Indicator</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefElectronicAuthenticationAssuranceLevelCode</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">gfipm:user:2.2.0:ElectronicAuthenticationAssuranceLevelCode</prop>
<prop key="displayName.en">Electronic Authentication Assurance Level Code</prop>
<prop key="description.en">Electronic Authentication Assurance Level Code</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefORI</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">gfipm:2.0:user:EmployerORI</prop>
<prop key="displayName.en">Employer ORI</prop>
<prop key="description.en">Employer ORI</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefEmployerOrganizationGeneralCategoryCode</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">gfipm:2.0:user:EmployerOrganizationGeneralCategoryCode</prop>
<prop key="displayName.en">Employer Organization General Category Code</prop>
<prop key="description.en">Employer Organization General Category Code</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefEmployerStateCode</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">gfipm:2.0:user:EmployerStateCode</prop>
<prop key="displayName.en">Employer State Code</prop>
<prop key="description.en">Employer State Code</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefIdentityProofingAssuranceLevelCode</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">gfipm:2.0:user:IdentityProofingAssuranceLevelCode</prop>
<prop key="displayName.en">Identity Proofing Assurance Level Code</prop>
<prop key="description.en">Identity Proofing Assurance Level Code</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefPSO</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">gfipm:2.0:user:PublicSafetyOfficerIndicator</prop>
<prop key="displayName.en">Public Safety Officer Indicator</prop>
<prop key="description.en">Public Safety Officer Indicator</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefSLEO</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">gfipm:2.0:user:SwornLawEnforcementOfficerIndicator</prop>
<prop key="displayName.en">Sworn Law Enforcement Officer Indicator</prop>
<prop key="description.en">Sworn Law Enforcement Officer Indicator</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefAAL</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">nief:1.0:user:AuthenticatorAssuranceLevel</prop>
<prop key="displayName.en">Authenticator Assurance Level</prop>
<prop key="description.en">Authenticator Assurance Level</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefFAL</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">nief:1.0:user:FederationAssuranceLevel</prop>
<prop key="displayName.en">Federation Assurance Level</prop>
<prop key="description.en">Federation Assurance Level</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefIAL</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">nief:1.0:user:IdentityAssuranceLevel</prop>
<prop key="displayName.en">Identity Assurance Level</prop>
<prop key="description.en">Identity Assurance Level</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefIntelligenceAnalystIndicator</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">nief:1.0:user:IntelligenceAnalystIndicator</prop>
<prop key="displayName.en">Intelligence Analyst Indicator</prop>
<prop key="description.en">Intelligence Analyst Indicator</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">gfipm:2.0:user:CounterTerrorismDataSelfSearchHomePrivilegeIndicator</prop>
<prop key="displayName.en">Counter Terrorism Data Self Search Home Privilege Indicator</prop>
<prop key="description.en">Counter Terrorism Data Self Search Home Privilege Indicator</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">gfipm:2.0:user:CriminalHistoryDataSelfSearchHomePrivilegeIndicator</prop>
<prop key="displayName.en">Criminal History Data Self Search Home Privilege Indicator</prop>
<prop key="description.en">Criminal History Data Self Search Home Privilege Indicator</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">gfipm:2.0:user:CriminalIntelligenceDataSelfSearchHomePrivilegeIndicator</prop>
<prop key="displayName.en">Criminal Intelligence Data Self Search Home Privilege Indicator</prop>
<prop key="description.en">Criminal Intelligence Data Self Search Home Privilege Indicator</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">gfipm:2.0:user:CriminalInvestigativeDataSelfSearchHomePrivilegeIndicator</prop>
<prop key="displayName.en">Criminal Investigative Data Self Search Home Privilege Indicator</prop>
<prop key="description.en">Criminal Investigative Data Self Search Home Privilege Indicator</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefDisplayName</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">gfipm:2.0:user:DisplayName</prop>
<prop key="displayName.en">Display Name</prop>
<prop key="description.en">Display Name</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefGovernmentDataSelfSearchHomePrivilegeIndicator</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">gfipm:2.0:user:GovernmentDataSelfSearchHomePrivilegeIndicator</prop>
<prop key="displayName.en">Government Data Self Search Home Privilege Indicator</prop>
<prop key="description.en">Government Data Self Search Home Privilege Indicator</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefLocalId</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">gfipm:2.0:user:LocalId</prop>
<prop key="displayName.en">Local Id</prop>
<prop key="description.en">Local Id</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefNCICCertificationIndicator</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">gfipm:2.0:user:NCICCertificationIndicator</prop>
<prop key="displayName.en">NCIC Certification Indicator</prop>
<prop key="description.en">NCIC Certification Indicator</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefNDExPrivilegeIndicator</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">gfipm:2.0:user:NDExPrivilegeIndicator</prop>
<prop key="displayName.en">NDEx Privilege Indicator</prop>
<prop key="description.en">NDEx Privilege Indicator</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefPCIICertificationIndicator</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">gfipm:2.0:user:PCIICertificationIndicator</prop>
<prop key="displayName.en">PCII Certification Indicator</prop>
<prop key="description.en">PCII Certification Indicator</prop>
</props>
</property>
</bean>
<bean parent="shibboleth.TranscodingProperties">
<property name="properties">
<props merge="true">
<prop key="id">niefFICAMAssuranceLevelCode</prop>
<prop key="transcoder">SAML2StringTranscoder</prop>
<prop key="saml2.name">nief:1.0:user:FICAMAssuranceLevelCode</prop>
<prop key="displayName.en">FICAM Assurance Level Code</prop>
<prop key="description.en">FICAM Assurance Level Code</prop>
</props>
</property>
</bean>

Shibboleth IDP4 Notes

2021-05-06T02:23:56Z

Gtkrug: /* Ongoing Notes */

==About==
Just some notes about Shibboleth IDP4 based on discussions with Texas DPS.

== Sample attribute-filter ==
The following attribute filter is designed to release all NIEF Mandatory, NIEF Highly Recommended, and NIEF Recommended attributes to all partners. It assumes the attributeIDs as defined within the NIEF Attribute Definitions for Shibboleth 4, seen below.

<AttributeFilterPolicy id="releaseAll">
<PolicyRequirementRule xsi:type="ANY" />
<AttributeRule attributeID="niefEmail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefEmployer">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefFedId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefGivenName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIdentityProviderId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefSurName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefTelephoneNumber">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIdentityProviderId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefUniqueSubjectId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="nief28CFR">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefElectronicAuthenticationAssuranceLevelCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefORI">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefEmployerOrganizationGeneralCategoryCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefEmployerStateCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIdentityProofingAssuranceLevelCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefPSO">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefSLEO">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefAAL">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefFAL">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIAL">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIntelligenceAnalystIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefDisplayName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefGovernmentDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefLocalId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefNCICCertificationIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefNDExPrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefPCIICertificationIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefFICAMAssuranceLevelCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>

== Attribute Definitions ==
Add the [[NIEF Attribute Defintions]] to your Shibboleth 4 IDP and then reference the below table when resolving NIEF attributes within the attribute-resolver.xml:

{|class="wikitable"
!Id Within attribute-resolver.xml
!Attribute Name
!URL
|-
!colspan="3"|NIEF Mandatory
|-
|niefEmail
|Email Address Text
|https://nief.org/attribute-registry/attributes/user/gfipm/EmailAddressText/2.0
|-
|niefEmployer
|Employer Name
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerName/2.0
|-
|niefFedId
|Federation Id
|https://nief.org/attribute-registry/attributes/user/gfipm/FederationId/2.0
|-
|niefGivenName
|Given Name
|https://nief.org/attribute-registry/attributes/user/gfipm/GivenName/2.0
|-
|niefIdentityProviderId
|Identity Provider Id
|https://nief.org/attribute-registry/attributes/user/gfipm/IdentityProviderId/2.0
|-
|niefSurName
|Sur Name
|https://nief.org/attribute-registry/attributes/user/gfipm/SurName/2.0
|-
|niefTelephoneNumber
|Telephone Number
|https://nief.org/attribute-registry/attributes/user/gfipm/TelephoneNumber/2.0
|-
|niefIdentityProviderId
|Identity Provider Id
|https://nief.org/attribute-registry/attributes/user/nief/IdentityProviderId/1.0
|-
|niefUniqueSubjectId
|Unique Subject Id
|https://nief.org/attribute-registry/attributes/user/nief/UniqueSubjectId/1.0
|-
!colspan="3"|NIEF Highly Recommended
|-
|nief28CFR
|28 CFR Certification Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/28CFRCertificationIndicator/2.0
|-
|niefElectronicAuthenticationAssuranceLevelCode
|Electronic Authentication Assurance Level Code
|https://nief.org/attribute-registry/attributes/user/gfipm/ElectronicAuthenticationAssuranceLevelCode/2.0
|-
|niefORI
|Employer ORI
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerORI/2.0
|-
|niefEmployerOrganizationGeneralCategoryCode
|Employer Organization General Category Code
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerOrganizationGeneralCategoryCode/2.0
|-
|niefEmployerStateCode
|Employer State Code
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerStateCode/2.0
|-
|niefIdentityProofingAssuranceLevelCode
|Identity Proofing Assurance Level Code
|https://nief.org/attribute-registry/attributes/user/gfipm/IdentityProofingAssuranceLevelCode/2.0
|-
|niefPSO
|Public Safety Officer Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/PublicSafetyOfficerIndicator/2.0
|-
|niefSLEO
|Sworn Law Enforcement Officer Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/SwornLawEnforcementOfficerIndicator/2.0
|-
|niefAAL
|Authenticator Assurance Level
|https://nief.org/attribute-registry/attributes/user/nief/AuthenticatorAssuranceLevel/1.0
|-
|niefFAL
|Federation Assurance Level
|https://nief.org/attribute-registry/attributes/user/nief/FederationAssuranceLevel/1.0
|-
|niefIAL
|Identity Assurance Level
|https://nief.org/attribute-registry/attributes/user/nief/IdentityAssuranceLevel/1.0
|-
!colspan="3"|NIEF Recommended
|-
|niefIntelligenceAnalystIndicator
|Intelligence Analyst Indicator
|https://nief.org/attribute-registry/attributes/user/nief/IntelligenceAnalystIndicator/1.0
|-
|niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator
|Counter Terrorism Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CounterTerrorismDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator
|Criminal History Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CriminalHistoryDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator
|Criminal Intelligence Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CriminalIntelligenceDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator
|Criminal Investigative Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CriminalInvestigativeDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefDisplayName
|Display Name
|https://nief.org/attribute-registry/attributes/user/gfipm/DisplayName/2.0
|-
|niefGovernmentDataSelfSearchHomePrivilegeIndicator
|Government Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/GovernmentDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefLocalId
|Local Id
|https://nief.org/attribute-registry/attributes/user/gfipm/LocalId/2.0
|-
|niefNCICCertificationIndicator
|NCIC Certification Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/NCICCertificationIndicator/2.0
|-
|niefNDExPrivilegeIndicator
|NDEx Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/NDExPrivilegeIndicator/2.0
|-
|niefPCIICertificationIndicator
|PCII Certification Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/PCIICertificationIndicator/2.0
|-
|niefFICAMAssuranceLevelCode
|FICAM Assurance Level Code
|https://nief.org/attribute-registry/attributes/user/nief/FICAMAssuranceLevelCode/1.0

|}

== GFIPM Reference Fed Metadata Provider ==

<MetadataProvider id="HTTPMetadata"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/localCopyFromNIEFTestbed.xml"
metadataURL="https://ref.gfipm.net/gfipm-signed-ref-metadata.xml">
<MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/gfipm-ca.pem" />
<MetadataFilter xsi:type="EntityRole">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>

== Ongoing Notes ==
[[Create a NIEF Attribute Registry]]

Shibboleth IDP4 Notes

2021-05-06T02:23:18Z

Gtkrug: /* GFIPM Reference Fed Metadata Provider */

Shibboleth IDP4 Notes

2021-05-06T02:21:57Z

Gtkrug: /* Attribute Definitions */

Shibboleth IDP4 Notes

2021-05-06T02:21:36Z

Gtkrug: /* Attribute Definition */

==About==
Just some notes about Shibboleth IDP4 based on discussions with Texas DPS.

== Sample attribute-filter ==
The following attribute filter is designed to release all NIEF Mandatory, NIEF Highly Recommended, and NIEF Recommended attributes to all partners. It assumes the attributeIDs as defined within the NIEF Attribute Definitions for Shibboleth 4, seen below.

<AttributeFilterPolicy id="releaseAll">
<PolicyRequirementRule xsi:type="ANY" />
<AttributeRule attributeID="niefEmail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefEmployer">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefFedId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefGivenName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIdentityProviderId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefSurName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefTelephoneNumber">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIdentityProviderId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefUniqueSubjectId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="nief28CFR">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefElectronicAuthenticationAssuranceLevelCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefORI">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefEmployerOrganizationGeneralCategoryCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefEmployerStateCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIdentityProofingAssuranceLevelCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefPSO">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefSLEO">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefAAL">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefFAL">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIAL">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIntelligenceAnalystIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefDisplayName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefGovernmentDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefLocalId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefNCICCertificationIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefNDExPrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefPCIICertificationIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefFICAMAssuranceLevelCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>

== Attribute Definitions ==
Add the [[NIEF Attribute Defintions]] to your Shibboleth 4 IDP and then reference the below table when resolving NIEF attributes within the attribute-resolver.xml:

{|class="wikitable"
!Id Within attribute-resolver.xml
!Attribute Name
!URL
|-
!colspan="3"|NIEF Mandatory
|-
|niefEmail
|Email Address Text
|https://nief.org/attribute-registry/attributes/user/gfipm/EmailAddressText/2.0
|-
|niefEmployer
|Employer Name
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerName/2.0
|-
|niefFedId
|Federation Id
|https://nief.org/attribute-registry/attributes/user/gfipm/FederationId/2.0
|-
|niefGivenName
|Given Name
|https://nief.org/attribute-registry/attributes/user/gfipm/GivenName/2.0
|-
|niefIdentityProviderId
|Identity Provider Id
|https://nief.org/attribute-registry/attributes/user/gfipm/IdentityProviderId/2.0
|-
|niefSurName
|Sur Name
|https://nief.org/attribute-registry/attributes/user/gfipm/SurName/2.0
|-
|niefTelephoneNumber
|Telephone Number
|https://nief.org/attribute-registry/attributes/user/gfipm/TelephoneNumber/2.0
|-
|niefIdentityProviderId
|Identity Provider Id
|https://nief.org/attribute-registry/attributes/user/nief/IdentityProviderId/1.0
|-
|niefUniqueSubjectId
|Unique Subject Id
|https://nief.org/attribute-registry/attributes/user/nief/UniqueSubjectId/1.0
|-
!colspan="3"|NIEF Highly Recommended
|-
|nief28CFR
|28 CFR Certification Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/28CFRCertificationIndicator/2.0
|-
|niefElectronicAuthenticationAssuranceLevelCode
|Electronic Authentication Assurance Level Code
|https://nief.org/attribute-registry/attributes/user/gfipm/ElectronicAuthenticationAssuranceLevelCode/2.0
|-
|niefORI
|Employer ORI
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerORI/2.0
|-
|niefEmployerOrganizationGeneralCategoryCode
|Employer Organization General Category Code
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerOrganizationGeneralCategoryCode/2.0
|-
|niefEmployerStateCode
|Employer State Code
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerStateCode/2.0
|-
|niefIdentityProofingAssuranceLevelCode
|Identity Proofing Assurance Level Code
|https://nief.org/attribute-registry/attributes/user/gfipm/IdentityProofingAssuranceLevelCode/2.0
|-
|niefPSO
|Public Safety Officer Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/PublicSafetyOfficerIndicator/2.0
|-
|niefSLEO
|Sworn Law Enforcement Officer Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/SwornLawEnforcementOfficerIndicator/2.0
|-
|niefAAL
|Authenticator Assurance Level
|https://nief.org/attribute-registry/attributes/user/nief/AuthenticatorAssuranceLevel/1.0
|-
|niefFAL
|Federation Assurance Level
|https://nief.org/attribute-registry/attributes/user/nief/FederationAssuranceLevel/1.0
|-
|niefIAL
|Identity Assurance Level
|https://nief.org/attribute-registry/attributes/user/nief/IdentityAssuranceLevel/1.0
|-
!colspan="3"|NIEF Recommended
|-
|niefIntelligenceAnalystIndicator
|Intelligence Analyst Indicator
|https://nief.org/attribute-registry/attributes/user/nief/IntelligenceAnalystIndicator/1.0
|-
|niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator
|Counter Terrorism Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CounterTerrorismDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator
|Criminal History Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CriminalHistoryDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator
|Criminal Intelligence Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CriminalIntelligenceDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator
|Criminal Investigative Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CriminalInvestigativeDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefDisplayName
|Display Name
|https://nief.org/attribute-registry/attributes/user/gfipm/DisplayName/2.0
|-
|niefGovernmentDataSelfSearchHomePrivilegeIndicator
|Government Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/GovernmentDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefLocalId
|Local Id
|https://nief.org/attribute-registry/attributes/user/gfipm/LocalId/2.0
|-
|niefNCICCertificationIndicator
|NCIC Certification Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/NCICCertificationIndicator/2.0
|-
|niefNDExPrivilegeIndicator
|NDEx Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/NDExPrivilegeIndicator/2.0
|-
|niefPCIICertificationIndicator
|PCII Certification Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/PCIICertificationIndicator/2.0
|-
|niefFICAMAssuranceLevelCode
|FICAM Assurance Level Code
|https://nief.org/attribute-registry/attributes/user/nief/FICAMAssuranceLevelCode/1.0

|}

Quick Test, create a properties file per attribute in the ''attributes/custom'' directory:

id=gfipmmail
transcoder=SAML2StringTranscoder
saml2.name=gfipm:2.0:user:EmailAddressText

id=firstname
transcoder=SAML2StringTranscoder
saml2.name=gfipm:2.0:user:GivenName

id=lastname
transcoder=SAML2StringTranscoder
saml2.name=gfipm:2.0:user:SurName

== GFIPM Reference Fed Metadata Provider ==

<MetadataProvider id="HTTPMetadata"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/localCopyFromNIEFTestbed.xml"
metadataURL="https://ref.gfipm.net/gfipm-signed-ref-metadata.xml">
<MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/gfipm-ca.pem" />
<MetadataFilter xsi:type="EntityRole">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>

Shibboleth IDP4 Notes

2021-05-06T02:21:19Z

Gtkrug: /* Sample Attribute Definition */

==About==
Just some notes about Shibboleth IDP4 based on discussions with Texas DPS.

== Sample attribute-filter ==
The following attribute filter is designed to release all NIEF Mandatory, NIEF Highly Recommended, and NIEF Recommended attributes to all partners. It assumes the attributeIDs as defined within the NIEF Attribute Definitions for Shibboleth 4, seen below.

<AttributeFilterPolicy id="releaseAll">
<PolicyRequirementRule xsi:type="ANY" />
<AttributeRule attributeID="niefEmail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefEmployer">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefFedId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefGivenName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIdentityProviderId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefSurName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefTelephoneNumber">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIdentityProviderId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefUniqueSubjectId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="nief28CFR">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefElectronicAuthenticationAssuranceLevelCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefORI">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefEmployerOrganizationGeneralCategoryCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefEmployerStateCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIdentityProofingAssuranceLevelCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefPSO">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefSLEO">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefAAL">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefFAL">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIAL">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIntelligenceAnalystIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefDisplayName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefGovernmentDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefLocalId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefNCICCertificationIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefNDExPrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefPCIICertificationIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefFICAMAssuranceLevelCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>

== Attribute Definition ==
Add the [[NIEF Attribute Defintions]] to your Shibboleth 4 IDP and then reference the below table when resolving NIEF attributes within the attribute-resolver.xml:

{|class="wikitable"
!Id Within attribute-resolver.xml
!Attribute Name
!URL
|-
!colspan="3"|NIEF Mandatory
|-
|niefEmail
|Email Address Text
|https://nief.org/attribute-registry/attributes/user/gfipm/EmailAddressText/2.0
|-
|niefEmployer
|Employer Name
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerName/2.0
|-
|niefFedId
|Federation Id
|https://nief.org/attribute-registry/attributes/user/gfipm/FederationId/2.0
|-
|niefGivenName
|Given Name
|https://nief.org/attribute-registry/attributes/user/gfipm/GivenName/2.0
|-
|niefIdentityProviderId
|Identity Provider Id
|https://nief.org/attribute-registry/attributes/user/gfipm/IdentityProviderId/2.0
|-
|niefSurName
|Sur Name
|https://nief.org/attribute-registry/attributes/user/gfipm/SurName/2.0
|-
|niefTelephoneNumber
|Telephone Number
|https://nief.org/attribute-registry/attributes/user/gfipm/TelephoneNumber/2.0
|-
|niefIdentityProviderId
|Identity Provider Id
|https://nief.org/attribute-registry/attributes/user/nief/IdentityProviderId/1.0
|-
|niefUniqueSubjectId
|Unique Subject Id
|https://nief.org/attribute-registry/attributes/user/nief/UniqueSubjectId/1.0
|-
!colspan="3"|NIEF Highly Recommended
|-
|nief28CFR
|28 CFR Certification Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/28CFRCertificationIndicator/2.0
|-
|niefElectronicAuthenticationAssuranceLevelCode
|Electronic Authentication Assurance Level Code
|https://nief.org/attribute-registry/attributes/user/gfipm/ElectronicAuthenticationAssuranceLevelCode/2.0
|-
|niefORI
|Employer ORI
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerORI/2.0
|-
|niefEmployerOrganizationGeneralCategoryCode
|Employer Organization General Category Code
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerOrganizationGeneralCategoryCode/2.0
|-
|niefEmployerStateCode
|Employer State Code
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerStateCode/2.0
|-
|niefIdentityProofingAssuranceLevelCode
|Identity Proofing Assurance Level Code
|https://nief.org/attribute-registry/attributes/user/gfipm/IdentityProofingAssuranceLevelCode/2.0
|-
|niefPSO
|Public Safety Officer Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/PublicSafetyOfficerIndicator/2.0
|-
|niefSLEO
|Sworn Law Enforcement Officer Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/SwornLawEnforcementOfficerIndicator/2.0
|-
|niefAAL
|Authenticator Assurance Level
|https://nief.org/attribute-registry/attributes/user/nief/AuthenticatorAssuranceLevel/1.0
|-
|niefFAL
|Federation Assurance Level
|https://nief.org/attribute-registry/attributes/user/nief/FederationAssuranceLevel/1.0
|-
|niefIAL
|Identity Assurance Level
|https://nief.org/attribute-registry/attributes/user/nief/IdentityAssuranceLevel/1.0
|-
!colspan="3"|NIEF Recommended
|-
|niefIntelligenceAnalystIndicator
|Intelligence Analyst Indicator
|https://nief.org/attribute-registry/attributes/user/nief/IntelligenceAnalystIndicator/1.0
|-
|niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator
|Counter Terrorism Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CounterTerrorismDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator
|Criminal History Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CriminalHistoryDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator
|Criminal Intelligence Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CriminalIntelligenceDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator
|Criminal Investigative Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CriminalInvestigativeDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefDisplayName
|Display Name
|https://nief.org/attribute-registry/attributes/user/gfipm/DisplayName/2.0
|-
|niefGovernmentDataSelfSearchHomePrivilegeIndicator
|Government Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/GovernmentDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefLocalId
|Local Id
|https://nief.org/attribute-registry/attributes/user/gfipm/LocalId/2.0
|-
|niefNCICCertificationIndicator
|NCIC Certification Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/NCICCertificationIndicator/2.0
|-
|niefNDExPrivilegeIndicator
|NDEx Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/NDExPrivilegeIndicator/2.0
|-
|niefPCIICertificationIndicator
|PCII Certification Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/PCIICertificationIndicator/2.0
|-
|niefFICAMAssuranceLevelCode
|FICAM Assurance Level Code
|https://nief.org/attribute-registry/attributes/user/nief/FICAMAssuranceLevelCode/1.0

|}

Quick Test, create a properties file per attribute in the ''attributes/custom'' directory:

id=gfipmmail
transcoder=SAML2StringTranscoder
saml2.name=gfipm:2.0:user:EmailAddressText

id=firstname
transcoder=SAML2StringTranscoder
saml2.name=gfipm:2.0:user:GivenName

id=lastname
transcoder=SAML2StringTranscoder
saml2.name=gfipm:2.0:user:SurName

== GFIPM Reference Fed Metadata Provider ==

<MetadataProvider id="HTTPMetadata"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/localCopyFromNIEFTestbed.xml"
metadataURL="https://ref.gfipm.net/gfipm-signed-ref-metadata.xml">
<MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/gfipm-ca.pem" />
<MetadataFilter xsi:type="EntityRole">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>

Shibboleth IDP4 Notes

2021-05-06T02:18:58Z

Gtkrug: /* Sample attribute-filter */

==About==
Just some notes about Shibboleth IDP4 based on discussions with Texas DPS.

== Sample attribute-filter ==
The following attribute filter is designed to release all NIEF Mandatory, NIEF Highly Recommended, and NIEF Recommended attributes to all partners. It assumes the attributeIDs as defined within the NIEF Attribute Definitions for Shibboleth 4, seen below.

<AttributeFilterPolicy id="releaseAll">
<PolicyRequirementRule xsi:type="ANY" />
<AttributeRule attributeID="niefEmail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefEmployer">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefFedId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefGivenName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIdentityProviderId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefSurName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefTelephoneNumber">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIdentityProviderId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefUniqueSubjectId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="nief28CFR">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefElectronicAuthenticationAssuranceLevelCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefORI">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefEmployerOrganizationGeneralCategoryCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefEmployerStateCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIdentityProofingAssuranceLevelCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefPSO">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefSLEO">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefAAL">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefFAL">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIAL">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefIntelligenceAnalystIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefDisplayName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefGovernmentDataSelfSearchHomePrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefLocalId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefNCICCertificationIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefNDExPrivilegeIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefPCIICertificationIndicator">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="niefFICAMAssuranceLevelCode">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>

== Sample Attribute Definition ==
To Do: [[Create a NIEF Attribute Registry]] definition.

If you add the [[NIEF Attribute Defintions]] you can reference this table for the IDs to use within the Attribute Resolver:
{|class="wikitable"
!Id Within attribute-resolver.xml
!Attribute Name
!URL
|-
!colspan="3"|NIEF Mandatory
|-
|niefEmail
|Email Address Text
|https://nief.org/attribute-registry/attributes/user/gfipm/EmailAddressText/2.0
|-
|niefEmployer
|Employer Name
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerName/2.0
|-
|niefFedId
|Federation Id
|https://nief.org/attribute-registry/attributes/user/gfipm/FederationId/2.0
|-
|niefGivenName
|Given Name
|https://nief.org/attribute-registry/attributes/user/gfipm/GivenName/2.0
|-
|niefIdentityProviderId
|Identity Provider Id
|https://nief.org/attribute-registry/attributes/user/gfipm/IdentityProviderId/2.0
|-
|niefSurName
|Sur Name
|https://nief.org/attribute-registry/attributes/user/gfipm/SurName/2.0
|-
|niefTelephoneNumber
|Telephone Number
|https://nief.org/attribute-registry/attributes/user/gfipm/TelephoneNumber/2.0
|-
|niefIdentityProviderId
|Identity Provider Id
|https://nief.org/attribute-registry/attributes/user/nief/IdentityProviderId/1.0
|-
|niefUniqueSubjectId
|Unique Subject Id
|https://nief.org/attribute-registry/attributes/user/nief/UniqueSubjectId/1.0
|-
!colspan="3"|NIEF Highly Recommended
|-
|nief28CFR
|28 CFR Certification Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/28CFRCertificationIndicator/2.0
|-
|niefElectronicAuthenticationAssuranceLevelCode
|Electronic Authentication Assurance Level Code
|https://nief.org/attribute-registry/attributes/user/gfipm/ElectronicAuthenticationAssuranceLevelCode/2.0
|-
|niefORI
|Employer ORI
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerORI/2.0
|-
|niefEmployerOrganizationGeneralCategoryCode
|Employer Organization General Category Code
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerOrganizationGeneralCategoryCode/2.0
|-
|niefEmployerStateCode
|Employer State Code
|https://nief.org/attribute-registry/attributes/user/gfipm/EmployerStateCode/2.0
|-
|niefIdentityProofingAssuranceLevelCode
|Identity Proofing Assurance Level Code
|https://nief.org/attribute-registry/attributes/user/gfipm/IdentityProofingAssuranceLevelCode/2.0
|-
|niefPSO
|Public Safety Officer Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/PublicSafetyOfficerIndicator/2.0
|-
|niefSLEO
|Sworn Law Enforcement Officer Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/SwornLawEnforcementOfficerIndicator/2.0
|-
|niefAAL
|Authenticator Assurance Level
|https://nief.org/attribute-registry/attributes/user/nief/AuthenticatorAssuranceLevel/1.0
|-
|niefFAL
|Federation Assurance Level
|https://nief.org/attribute-registry/attributes/user/nief/FederationAssuranceLevel/1.0
|-
|niefIAL
|Identity Assurance Level
|https://nief.org/attribute-registry/attributes/user/nief/IdentityAssuranceLevel/1.0
|-
!colspan="3"|NIEF Recommended
|-
|niefIntelligenceAnalystIndicator
|Intelligence Analyst Indicator
|https://nief.org/attribute-registry/attributes/user/nief/IntelligenceAnalystIndicator/1.0
|-
|niefCounterTerrorismDataSelfSearchHomePrivilegeIndicator
|Counter Terrorism Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CounterTerrorismDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefCriminalHistoryDataSelfSearchHomePrivilegeIndicator
|Criminal History Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CriminalHistoryDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefCriminalIntelligenceDataSelfSearchHomePrivilegeIndicator
|Criminal Intelligence Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CriminalIntelligenceDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefCriminalInvestigativeDataSelfSearchHomePrivilegeIndicator
|Criminal Investigative Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/CriminalInvestigativeDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefDisplayName
|Display Name
|https://nief.org/attribute-registry/attributes/user/gfipm/DisplayName/2.0
|-
|niefGovernmentDataSelfSearchHomePrivilegeIndicator
|Government Data Self Search Home Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/GovernmentDataSelfSearchHomePrivilegeIndicator/2.0
|-
|niefLocalId
|Local Id
|https://nief.org/attribute-registry/attributes/user/gfipm/LocalId/2.0
|-
|niefNCICCertificationIndicator
|NCIC Certification Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/NCICCertificationIndicator/2.0
|-
|niefNDExPrivilegeIndicator
|NDEx Privilege Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/NDExPrivilegeIndicator/2.0
|-
|niefPCIICertificationIndicator
|PCII Certification Indicator
|https://nief.org/attribute-registry/attributes/user/gfipm/PCIICertificationIndicator/2.0
|-
|niefFICAMAssuranceLevelCode
|FICAM Assurance Level Code
|https://nief.org/attribute-registry/attributes/user/nief/FICAMAssuranceLevelCode/1.0

|}

Quick Test, create a properties file per attribute in the ''attributes/custom'' directory:

id=gfipmmail
transcoder=SAML2StringTranscoder
saml2.name=gfipm:2.0:user:EmailAddressText

id=firstname
transcoder=SAML2StringTranscoder
saml2.name=gfipm:2.0:user:GivenName

id=lastname
transcoder=SAML2StringTranscoder
saml2.name=gfipm:2.0:user:SurName

== GFIPM Reference Fed Metadata Provider ==

<MetadataProvider id="HTTPMetadata"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/localCopyFromNIEFTestbed.xml"
metadataURL="https://ref.gfipm.net/gfipm-signed-ref-metadata.xml">
<MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/gfipm-ca.pem" />
<MetadataFilter xsi:type="EntityRole">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>

NIEF Attribute Defintions

2021-05-06T02:15:23Z

Gtkrug: Created page with "==About== How to configure a Shibboleth 4 system to support NIEF/GFIPM attributes in bulk. ==Process== # Download thumb and put it in your ''[IDP_HOME]..."

==About==
How to configure a Shibboleth 4 system to support NIEF/GFIPM attributes in bulk.

==Process==
# Download [[File:NiefAttrs.xml|thumb]] and put it in your ''[IDP_HOME]/conf/attributes/'' directory.
# Edit the ''default-rules.xml'' file and add a rule to process the ''NiefAttrs.xml'' file:
<import resource="niefAttrs.xml" />

File:NiefAttrs.xml

2021-05-06T02:12:35Z

Gtkrug:

Sample NIEF Attributes definitions for Shibboleth 4

Create a NIEF Attribute Registry

2021-05-05T21:32:03Z

Gtkrug:

Create a NIEF Attribute Registry

2021-05-05T21:30:21Z

Gtkrug: Created page with "== About == Shibboleth 4 has a concept of Attribute Definitions distinct from Resolution and Filtering. We should generate a conformant XML version representing the NIEF Bund..."

Shibboleth IDP4 Notes

2021-05-05T21:28:28Z

Gtkrug: /* Sample Attribute Definition */

==About==
Just some notes about Shibboleth IDP4 based on discussions with Texas DPS.

== Sample attribute-filter ==

<AttributeFilterPolicy id="releaseAll">
<PolicyRequirementRule xsi:type="ANY" />
<AttributeRule attributeID="OrgId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="empname">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="LocalId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="lastname">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="firstname">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="gfipmmail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="fedid">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>

== Sample Attribute Definition ==
To Do: [[Create a NIEF Attribute Registry]] definition.

Quick Test, create a properties file per attribute in the ''attributes/custom'' directory:

id=gfipmmail
transcoder=SAML2StringTranscoder
saml2.name=gfipm:2.0:user:EmailAddressText

id=firstname
transcoder=SAML2StringTranscoder
saml2.name=gfipm:2.0:user:GivenName

id=lastname
transcoder=SAML2StringTranscoder
saml2.name=gfipm:2.0:user:SurName

== GFIPM Reference Fed Metadata Provider ==

<MetadataProvider id="HTTPMetadata"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/localCopyFromNIEFTestbed.xml"
metadataURL="https://ref.gfipm.net/gfipm-signed-ref-metadata.xml">
<MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/gfipm-ca.pem" />
<MetadataFilter xsi:type="EntityRole">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>

Shibboleth IDP4 Notes

2021-05-05T21:28:10Z

Gtkrug: /* Sample Attribute Definition */

==About==
Just some notes about Shibboleth IDP4 based on discussions with Texas DPS.

== Sample attribute-filter ==

<AttributeFilterPolicy id="releaseAll">
<PolicyRequirementRule xsi:type="ANY" />
<AttributeRule attributeID="OrgId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="empname">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="LocalId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="lastname">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="firstname">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="gfipmmail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="fedid">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>

== Sample Attribute Definition ==
To Do: [Create a NIEF Attribute Registry] definition.

Quick Test, create a properties file per attribute in the ''attributes/custom'' directory:

id=gfipmmail
transcoder=SAML2StringTranscoder
saml2.name=gfipm:2.0:user:EmailAddressText

id=firstname
transcoder=SAML2StringTranscoder
saml2.name=gfipm:2.0:user:GivenName

id=lastname
transcoder=SAML2StringTranscoder
saml2.name=gfipm:2.0:user:SurName

== GFIPM Reference Fed Metadata Provider ==

<MetadataProvider id="HTTPMetadata"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/localCopyFromNIEFTestbed.xml"
metadataURL="https://ref.gfipm.net/gfipm-signed-ref-metadata.xml">
<MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/gfipm-ca.pem" />
<MetadataFilter xsi:type="EntityRole">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>

Shibboleth IDP4 Notes

2021-05-05T21:06:54Z

Gtkrug: /* GFIPM Reference Fed Metadata Provider */

==About==
Just some notes about Shibboleth IDP4 based on discussions with Texas DPS.

== Sample attribute-filter ==

<AttributeFilterPolicy id="releaseAll">
<PolicyRequirementRule xsi:type="ANY" />
<AttributeRule attributeID="OrgId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="empname">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="LocalId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="lastname">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="firstname">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="gfipmmail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="fedid">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>

== Sample Attribute Definition ==
To Do: Create a NIEF Attribute Registry definition.

Quick Test, create a properties file per attribute in the ''attributes/custom'' directory:

id=gfipmmail
transcoder=SAML2StringTranscoder
saml2.name=gfipm:2.0:user:EmailAddressText

id=firstname
transcoder=SAML2StringTranscoder
saml2.name=gfipm:2.0:user:GivenName

id=lastname
transcoder=SAML2StringTranscoder
saml2.name=gfipm:2.0:user:SurName

== GFIPM Reference Fed Metadata Provider ==

<MetadataProvider id="HTTPMetadata"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/localCopyFromNIEFTestbed.xml"
metadataURL="https://ref.gfipm.net/gfipm-signed-ref-metadata.xml">
<MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/gfipm-ca.pem" />
<MetadataFilter xsi:type="EntityRole">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>

Shibboleth IDP4 Notes

2021-05-05T21:06:35Z

Gtkrug:

==About==
Just some notes about Shibboleth IDP4 based on discussions with Texas DPS.

== Sample attribute-filter ==

<AttributeFilterPolicy id="releaseAll">
<PolicyRequirementRule xsi:type="ANY" />
<AttributeRule attributeID="OrgId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="empname">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="LocalId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="lastname">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="firstname">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="gfipmmail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="fedid">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>

== Sample Attribute Definition ==
To Do: Create a NIEF Attribute Registry definition.

Quick Test, create a properties file per attribute in the ''attributes/custom'' directory:

id=gfipmmail
transcoder=SAML2StringTranscoder
saml2.name=gfipm:2.0:user:EmailAddressText

id=firstname
transcoder=SAML2StringTranscoder
saml2.name=gfipm:2.0:user:GivenName

id=lastname
transcoder=SAML2StringTranscoder
saml2.name=gfipm:2.0:user:SurName

== GFIPM Reference Fed Metadata Provider ==

<MetadataProvider id="HTTPMetadata"
xsi:type="FileBackedHTTPMetadataProvider"
backingFile="%{idp.home}/metadata/localCopyFromNIEFTestbed.xml"
metadataURL="https://ref.gfipm.net/gfipm-signed-ref-metadata.xml">

<MetadataFilter xsi:type="SignatureValidation" certificateFile="%{idp.home}/credentials/gfipm-ca.pem" />
<MetadataFilter xsi:type="EntityRole">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
</MetadataProvider>

Shibboleth IDP4 Notes

2021-05-05T20:57:55Z

Gtkrug: /* Sample Attribute Definition */

==About==
Just some notes about Shibboleth IDP4 based on discussions with Texas DPS.

== Sample attribute-filter ==

<AttributeFilterPolicy id="releaseAll">
<PolicyRequirementRule xsi:type="ANY" />
<AttributeRule attributeID="OrgId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="empname">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="LocalId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="lastname">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="firstname">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="gfipmmail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="fedid">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>

== Sample Attribute Definition ==
To Do: Create a NIEF Attribute Registry definition.

Quick Test, create a properties file per attribute in the ''attributes/custom'' directory:

id=gfipmmail
transcoder=SAML2StringTranscoder
saml2.name=gfipm:2.0:user:EmailAddressText

id=firstname
transcoder=SAML2StringTranscoder
saml2.name=gfipm:2.0:user:GivenName

id=lastname
transcoder=SAML2StringTranscoder
saml2.name=gfipm:2.0:user:SurName

Shibboleth IDP4 Notes

2021-05-05T20:51:30Z

Gtkrug:

Shibboleth IDP4 Notes

2021-05-05T20:48:34Z

Gtkrug:

Shibboleth IDP4 Notes

2021-05-05T19:01:29Z

Gtkrug: Created page with "==About== Just some notes about Shibboleth IDP4 based on discussions with Texas DPS."

==About==
Just some notes about Shibboleth IDP4 based on discussions with Texas DPS.

NIEF Implementers Wiki

2021-05-05T18:53:21Z

Gtkrug:

NIEF Testbed

2020-02-13T19:41:05Z

Gtkrug: /* Trust Fabric / SAML2 Metadata */

There are a variety of test capabilities within NIEF falling into five roles/categories:

== SAML Relying Party ==

There is one primary test SAML RP: [https://testsp.nief.org/ https://testsp.nief.org/].

== SAML Identity Provider ==

There are multiple Test SAML IDPs:

* [https://testidp.nief.org/ https://testidp.nief.org/] - open access test credentials.
* [https://piv.nief.org/ https://piv.nief.org/] - PIV-I Test Identity Provider, requires test certificates.

== OIDC OpenId Provider ==

[https://openid.nief.org/ https://openid.nief.org/]

== OIDC Relying Party / Client ==

[https://testsp.nief.org/ https://testsp.nief.org/]

== Trust Fabric / SAML2 Metadata ==

[https://ref.gfipm.net/gfipm-signed-ref-metadata.xml https://ref.gfipm.net/gfipm-signed-ref-metadata.xml]

=== Signing Certificate for Testbed Trust Fabric ===

[https://ref.gfipm.net/ref-gfipm-ca.crt https://ref.gfipm.net/ref-gfipm-ca.crt]