Versions Compared

Old Version 2

changes.mady.by.user Rod Widdowson

Saved on

compared with

New Version 3

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The <AttributeFilter> element is configures the component used to configure plugins that "filter" incoming attributes to prevent applications protected by an SP from seeing data that violates whatever policies the filter implements. A few example use cases include:

  • limiting the values of an attribute whose values are required to be from an enumeration (e.

...

  • g., the eduPersonScopedAffiliation attribute)
  • applying automated rules for the acceptance of attribute "scopes" based on SAML metadata
  • blocking self asserted personal identification data from known "open" IdPs
  • limiting custom attributes intended to be used by only a single IdP


While there are no specifically "mandated" points at which filters run, the SP generally invokes filtering immediately prior to the caching of a set of attributes into a user's session. Actually performing the filtering process is typically up to an Assertion Consumer Service AssertionConsumerService handler (in the case of attributes delivered during SSO) or an attribute resolver.

The filter's XML "portion" is a reloadable resource, which means that the XML content can be supplied inline, in a local file, or a remote file, and can be monitored for changes and reloaded on the fly.  

This page refers to several different namespaces as detailed below

...

Namespace

...

URI

...

Description

...

urn:mace:shibboleth:2.0:afp

...

urn:mace:shibboleth:2.0:afp:mf:basic

...

Attributes

The  attribute type="XML" must be present. 

If the filter is to be specified in a different place the reloadable attributes may be specified

...

Child elements

...

Context

The root of the XML instance MUST be an <afp:AttributeFilterPolicyGroup> element.

For the time being, refer to the IdPAddAttributeFilter topic for more details.

Examples

Code Block
languagexml
titleInline Attribute Filter
<config:AttributeFilter type="XML">
	<afp:AttributeFilterPolicyGroup>

	<!-- Shared rule for affiliation values. -->
	    <afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
    	    <basic:Rule xsi:type="basic:AttributeValueString" value="faculty"/>
        	<basic:Rule xsi:type="basic:AttributeValueString" value="student"/>
	        <basic:Rule xsi:type="basic:AttributeValueString" value="staff"/>
    	    <basic:Rule xsi:type="basic:AttributeValueString" value="alum"/>
        	<basic:Rule xsi:type="basic:AttributeValueString" value="member"/>
	        <basic:Rule xsi:type="basic:AttributeValueString" value="affiliate"/>
    	    <basic:Rule xsi:type="basic:AttributeValueString" value="employee"/>
        	<basic:Rule xsi:type="basic:AttributeValueString" value="library-walk-in"/>
	    </afp:PermitValueRule>
	<afp:AttributeFilterPolicyGroup>
<config:AttributeFilter type="XML">
Code Block
languagexml
titleExternal Attribute filter
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

see the current an example attribute policy file AttributeResolver.

Types

TypeDescription
XMLThe only type included with the software, implements an XML-based rule syntax for filtering rules that is a derivation of the original filtering syntax from the Shibboleth IdP software

Reference

Common Attributes

All <AttributeFilter> plugins support the following attributes:

NameTypeReq?Description

type

stringY

Specifies the type of AttributeFilter plugin to use