The <AttributeFilter> element is used to configure plugins that filter incoming attributes to prevent applications protected by an SP from seeing data that violates whatever policies the filter implements.
| Table of Contents |
|---|
While there are no specifically "mandated" points at which filters run, the SP generally invokes filtering immediately prior to the caching of a set of attributes into a user's session. Actually performing the filtering process is typically up to an Assertion Consumer Service handler (in the case of attributes delivered during SSO) or an attribute resolver.
The filter's XML "portion" is a reloadable resource, which means that the XML content can be supplied inline, in a local file, or a remote file, and can be monitored for changes and reloaded on the fly.
This page refers to several different namespaces as detailed below
Namespace | URI | Description |
|---|---|---|
afp |
| The Shibboleth attribute filter rules namespace |
basic |
| The "basic" Shibboleth attribute filter rulesnamespace |
| conf | urn:mace:shibboleth:2.0:native:sp:config | The Shibboleth SP configuration namespace |
Attributes
The attribute type="XML" must be present.
Any of the The reloadable XML file's common attributes can be specified.If the filter is to be specified in a different place the reloadable attributes may be specified
| Include Page | ||||
|---|---|---|---|---|
|
Child elements
| Include Page | ||||
|---|---|---|---|---|
|
Context
The root of the XML instance MUST be an <afp:AttributeFilterPolicyGroup> element.
...