...
- Create a Rule element
- Optionally create a Description element, child of the Rule element, whose content is a description of this rule.
- Create a Target element, child of the Rule element whose content.
- If you want to the rule to apply to any service provider create an AnyValue AnyTarget element, child of the Target element.
- If you want the rule to apply to a specific service provider(s) create a Requester element with the following attribute and whose content is the string to match:
- matchFunction - contains the URI identifier of the function used to evaluate if the content of the Requester element matches the service provider entity ID requesting attributes
- Create an Attribute element, child of the Rule element, with the following attribute:
- name - the name of the attribute this rule applies to, this must match the value of the id attribute on the attribute's definition in the
resolver.xml
configuration file
- name - the name of the attribute this rule applies to, this must match the value of the id attribute on the attribute's definition in the
- If you want to all attribute values to be released to the service providers this rule applies to create an AnyValue element, child of the Attribute element
- If you want to restrict the values released to the service providers this rule applies to create a Value element, child of the Attribute element with the following attribute and whose content is the string to match:
- matchFunction - contains the URI identifier of the function used to evaluate if the content of the Value element matches the possible value(s) of the attribute
- release - whether to permit the release of the attributes that match this rule or deny them; permissible values "permit" and "deny"
...
Code Block | ||||
---|---|---|---|---|
| ||||
<Rule> <Description>Non-adminstrative groups released to Brown</Description> <Target> <Requester matchFunction="urn:mace:shibboleth:arp:matchFunction:regexMatch"> .*$brown\.brown\.edu.* </Requester> </Target> <Attribute name="memberOf"> <Value release="deny" matchFunction="urn:mace:shibboleth:arp:matchFunction:regexMatch"> ^urn:mace:example.org:group:admin:.* </Value> </Attribute> </Rule> |
...