In Shibboleth, the release of user attributes from an Identity Provider (IdP) to a Service Provider (SP) is controlled by the Attribute Release Policy (ARP).
At the IdP, the policy is configured in the arp.site.xml file. In a rule for each SP the administrator defines which attributes are allowed to be released (permit) and which attributes shall never be released to that Resource (deny).
An SP not listed in the ARP file should not receive any requested attributes. This case is handled with a default ARP rule not releasing any attributes.
In addition, Shibboleth checks for the existence of a user specific arp.xml file and evaluates it. In a rule per SP, a user can allow or deny the release of attributes unless their release is denied by the administrator with a rule in the site wide arp.site.xml file.
On the SWITCHaai Resource Registry,
a Home Organization administrator can configure some general ARP filtering
settings for his IdP.
One can configure how the attribute requirements, as defined by the Resource
administrators, should be filtered when generating the IdP specific
arp.sites.xml.
A Home Organization administrator can retrieve a tailored arp.site.xml file
for his IdP from the SWITCHaai Resource Registry.
An IdP admin can further tailor the arp.site.xml file with the Perl script 'updateARP' which can be downloaded from the Resource Registry. It allows to configure and maintain exceptions in the form of releasing or not releasing specific attributes of each SPs. It can also add additional ARP rules for SPs not part of the SWITCHaai federation with whom an IdP has bilateral agreements.