View Source

By default the following attributes will be released to a correctly configured and authenticated MIT SP:

• HTTP_REMOTE_USER (e.g. johndoe@mit.edu)
• REMOTE_USER (e.g. johndoe@mit.edu)
• HTTP_SHIB_EP_AFFILIATION (e.g. staff@mit.edu)
• HTTP_SHIB_EP_NICKNAME (e.g. John Q. Doe)
• HTTP_SHIB_AUTHENTICATION_METHOD (e.g. urn:oasis:names:tc:SAML:1.0:am:unspecified)
• HTTP_SHIB_IDENTITY_PROVIDER (https://idp.idp.mit.edu/shibboleth)
• HTTP_SHIB_ORIGIN_SITE (https://idp.idp.mit.edu/shibboleth)

The affiliation is not disclosed via certificates that are used today, however a web application can easily look it up via ldap, or get the data from the warehouse. Releasing this via Shibboleth will help to get some application developers thinking about how to use assertions in the future.

The following additional information could be released to a correctly configured and authenticated MIT SP if business requirement is identified and and SLA is created.

• HTTP_SHIB_ATTRIBUTES (encoded copy of all of the entire SAML assertions)
• HTTP_SHIB_EP_PRIMARYAFFILIATION (Staff)
• HTTP_SHIB_INETORGPERSON_GIVENNAME (John Q)
• HTTP_SHIB_INETORGPERSON_MAIL (johndoe@mit.edu)
• HTTP_SHIB_PERSON_COMMONNAME (John Q Doe)
• HTTP_SHIB_PERSON_SURNAME (Doe)
• HTTP_SHIB_PERSON_TELEPHONENUMBER (617-253-xxxx)

Clearly there is no reason to release the phone number by default. If someone had a third party application that expected to receive the phone number via this mechanism, and they had a business for the data, we might be willing to let them have it. If we're already giving them the nickname, the rest of the data that we can easily provide is redundant.

The following information will be released to a correctly configured and authenticated external SP by default:

• HTTP_SHIB_EP_AFFILIATION (e.g. staff@mit.edu)
• HTTP_SHIB_AUTHENTICATION_METHOD (e.g. urn:oasis:names:tc:SAML:1.0:am:unspecified)
• HTTP_SHIB_IDENTITY_PROVIDER (https://idp.idp.mit.edu/shibboleth)
• HTTP_SHIB_ORIGIN_SITE (https://idp.idp.mit.edu/shibboleth)

By default we will not release the username or full name to another site by default, but simply indicating that the user authenticated at our IdP and they have a given affiliation can be useful to some applications while not invading the user's privacy.

The following information may be released to a correctly configured and authenticated external SP after IS&T review and approval:

• HTTP_REMOTE_USER (e.g. johndoe@mit.edu)
• REMOTE_USER (e.g. johndoe@mit.edu)
• HTTP_SHIB_EP_AFFILIATION (e.g. staff@mit.edu)
• HTTP_SHIB_EP_NICKNAME (e.g. John Q. Doe)
• HTTP_SHIB_AUTHENTICATION_METHOD (e.g. urn:oasis:names:tc:SAML:1.0:am:unspecified)
• HTTP_SHIB_IDENTITY_PROVIDER (https://idp.idp.mit.edu/shibboleth)
• HTTP_SHIB_ORIGIN_SITE (https://idp.idp.mit.edu/shibboleth)

Each attribute would be on a case by case basis.