Versions Compared

Version Old Version 6 New Version 7
Changes made by

Former user

Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Entry for describing a group (stored under subtree 'ou=groups'):

Code Block
dn:									  XACMLgroupName=testGroup,
										  ou=groups,
										  dc=example,
										  dc=com
objectclass:						      XACMLgroup
XACMLgroupName:					  testGroup
XACMLmembers:						 user1
XACMLmembers:						 user2

Entry for describing a policy, valid for the group stated above (stored under subtree 'ou=sitearps,ou=policies'):

Code Block
dn:									                     XACMLpolicyId=exampleArp,
										  ou=sitearps,
										    ou=policiessitearps,
						ou=policies,
				  dc=example,
										            dc=com
objectclass:						  XACMLpolicy
XACMLpolicyId:						exampleArp
XACMLpolicy:						  <Policy> 
 ...see Example ARP... 
 </Policy> 
XACMLgroupNames:					 testGroup
XACMLroles:							defaultrole

Example ARP

Here is an example XACML-ARP. For description see the tag 'Description'.

Code Block
 <Policy 
 xmlns="urn:oasis:names:tc:xacml:1.0:policy" 
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
 xmlns:context="urn:oasis:names:tc:xacml:1.0:context" 
 xmlns:condition="urn:mace:dir:attribute-def" 
 PolicyId="exampleArp" 
 RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:
 rule-combining-algorithm:ordered-permit-overrides"> 
 <Description>  
 Attribute to release: EduPersonNickname 
 Condition: only release eduPersonNickname, if
 eduPersonPrincipalName has the value of foo.bar
 Purpose: authorization 
 Action: read 
 Target: SP1 or SP2 or SP3
 Obligation: delete data after end of term
 Combination:
 - ARPpriority: combines all found applicable policies based on priority (parameter set in tag 'CombinerParameter')
 - ordered-permit-overrides: combines rules within this policy 
 Role: defaultrole
 </Description>
 <PolicyDefaults>
 <XPathVersion>
 http://www.w3.org/TR/1999/Rec-xpath-19991116
 </XPathVersion>
 </PolicyDefaults>
 <CombinerParameters>
 <CombinerParameter ParameterName="ARPpriority">
 100
 </CombinerParameter>
 </CombinerParameters>
 <Target>
 <Subjects> 
 <Subject> 
 <SubjectMatch 
 MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match"> 
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
 SP1|SP2|SP3
 </AttributeValue> 
 <SubjectAttributeDesignator 
 DataType="http://www.w3.org/2001/XMLSchema#string" 
 AttributeId="urn:oasis:names:tc:xacml:1.0:subject:service-provider"/> 
 </SubjectMatch> 
 </Subject> 
 </Subjects> 
 <Resources> 
 <Resource> 
 <ResourceMatch 
 MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-equal"> 
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">
 urn:mace:dir:attribute-def:eduPersonNickname
 </AttributeValue> 
 <ResourceAttributeDesignator 
 DataType="http://www.w3.org/2001/XMLSchema#anyURI" 
 AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/> 
 </ResourceMatch> 
 </Resource> 
 </Resources> 
 <Actions> 
 <AnyAction/> 
 </Actions> 
 </Target> 
 <Rule RuleId="Rule1" Effect="Permit"> 
 <Target> 
 <Subjects> 
 <AnySubject/> 
 </Subjects> 
 <Resources> 
 <AnyResource/> 
 </Resources> 
 <Actions> 
 <Action> 
 <ActionMatch 
 MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
 read
 </AttributeValue> 
 <ActionAttributeDesignator 
 DataType="http://www.w3.org/2001/XMLSchema#string" 
 AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"/> 
 </ActionMatch> 
 <ActionMatch 
 MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> 
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
 authorization
 </AttributeValue> 
 <ActionAttributeDesignator 
 DataType="http://www.w3.org/2001/XMLSchema#string" 
 AttributeId="urn:oasis:names:tc:xacml:1.0:action:purpose"/> 
 </ActionMatch> 
 </Action> 
 </Actions> 
 </Target>
 <Condition 
 FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
 <Function 
 FunctionId="urn:oasis:names:tc:xacml:1.0:
 function:regexp-string-match"/>
 <Apply 
 FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
 foo.bar
 </AttributeValue>
 </Apply>
 <AttributeSelector 
 RequestContextPath="//context:ResourceContent/
 condition:eduPersonPrincipalName/text()" 
 DataType="http://www.w3.org/2001/XMLSchema#string"/>
 </Condition>
 </Rule> 
 <!-- ... nothing more to release ... --> 
 <Rule RuleId="releaseNothingMore" Effect="Deny"/> 
 <Obligations>
 <Obligation 
 ObligationId="data-has-to-be-deleted-after-end-of-term" 
 FulfillOn="Permit">
 <AttributeAssignment AttributeId="resource" 
 DataType="http://www.w3.org/2001/XMLSchema#anyURI">
 urn:oasis:names:tc:xacml:1.0:resource:resource-id
 </AttributeAssignment>
 </Obligation>
 </Obligations>
 </Policy>

...

For errors or additional information see the "shib-error.log" after authentication with Shibboleth.
...