eduroamUID

The etlog system allows eduroam end users to show their activity. It is assumed that user's eduroam identity is equal to the eduPersonPrincipalName attribute value. In other cases, organisational IdP might implement eduroamUID attribute where user's eduroam identity is defined.

In SAML message, the attribute is identified as http://eduroam.cz/attributes/eduroamUID. Shibboleth IdP 3.x implementation (configuration file attribute-resolver.xml) might look as following:

attribute-resolver-eduroamuid.xml

<AttributeDefinition id="eduroamUID" xsi:type="ScriptedAttribute">
  <Dependency ref="uid" />
  <AttributeEncoder xsi:type="SAML1String" name="http://eduroam.cz/attributes/eduroamUID" />
  <AttributeEncoder xsi:type="SAML2String" name="http://eduroam.cz/attributes/eduroamUID" friendlyName="eduroamUID" />
  <Script>
    <![CDATA[
      if (typeof uid != "undefined" && uid != null) {
          eduroamUID.addValue (uid.getValues().get(0) + "@eduroam.%{idp.scope}");
      }
      ]]>
    </Script>
</AttributeDefinition>

An IdP have to release such an attribute at least to services with entityIDs https://monitor.eduroam.cz/shibboleth and https://attributes.eduid.cz/shibboleth. To release eduroamUID attribute only to those services from eduID.cz federation, which request this attribute in their metadata, one might use the following rule (configuration file attribute-filter.xml):

attribute-filter-eduroamuid.xml

<AttributeFilterPolicy id="eduroamUID">
 
    <PolicyRequirementRule xsi:type="OR">
        <Rule xsi:type="InEntityGroup" groupID="https://eduid.cz/metadata" />
    </PolicyRequirementRule>
 
    <AttributeRule attributeID="eduroamUID">
        <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false" />
    </AttributeRule>
 
</AttributeFilterPolicy>