Overview
Identified by type="XML", this AttributeFilter implements an XML-based rule syntax for filtering attributes (TBD)that was forked off from the original filtering language that was designed for the V2 IdP software. The best link to it for the moment is to the old docs because the V3 language has significantly drifted.
| Table of Contents |
|---|
The This filter's XML "portion" is configuration is implemented as a reloadable XML resource, which means that the XML content can be supplied inline, in a local file, or a remote file, and can be monitored for changes and reloaded on the fly. . The root of the XML in any of those cases MUST be an <afp:AttributeFilterPolicyGroup> element, either as a child element in an existing file or the root of a different file (usually the latter).
General Configuration
Not a lot, this continues to point back to the old V2 IdP software docs for the moment. The main point of divergence with the V3 IdP is the collapsing of namespaces and shortening of some of the function plugin names, which was not backported to the SP.
Reference
This page refers to several different namespaces by convention as detailed below:
Namespace | URI | Description |
|---|---|---|
afp |
| The Shibboleth attribute filter rules namespace |
basic |
| The "basic" Shibboleth attribute filter rulesnamespaceattribute filter rules namespace |
saml | urn:mace:shibboleth:2.0:afp:mf:saml | The "SAML" attribute filter rules namespace |
conf | urn:mace:shibboleth:23.0:native:sp:config | The Shibboleth SP configuration namespace |
Attributes
The attribute Aside from the type="XML" must be present. If the filter is to be specified in a different place the reloadable attributes may be specified attribute itself, there is no other attribute content specific to this plugin type.
It supports all of the attributes common to all reloadable configuration resources:
| Include Page | ||||
|---|---|---|---|---|
|
Child
...
Context
The root of the XML instance MUST be an <afp:AttributeFilterPolicyGroup> element.
...
Elements
The following child element must be provided, either inline, or as the root element of a local or remote XML resource to load from, which would be specified via the attribute(s) above.
| Name | Cardinality | Description |
|---|---|---|
<afp:AttributeFilterPolicyGroup> | 1 | Root element of configuration |
When a non-inline configuration is used, it supports the following child elements common to all reloadable configuration resources.
| Include Page | ||||
|---|---|---|---|---|
|
Examples
| Code Block | ||||
|---|---|---|---|---|
| ||||
<config:AttributeFilter type="XML">
<afp:AttributeFilterPolicyGroup>
<!-- Shared rule for affiliation values. -->
<afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
<basic:Rule xsi:type="basic:AttributeValueString" value="faculty"/>
<basic:Rule xsi:type="basic:AttributeValueString" value="student"/>
<basic:Rule xsi:type="basic:AttributeValueString" value="staff"/>
<basic:Rule xsi:type="basic:AttributeValueString" value="alum"/>
<basic:Rule xsi:type="basic:AttributeValueString" value="member"/>
<basic:Rule xsi:type="basic:AttributeValueString" value="affiliate"/>
<basic:Rule xsi:type="basic:AttributeValueString" value="employee"/>
<basic:Rule xsi:type="basic:AttributeValueString" value="library-walk-in"/>
</afp:PermitValueRule>
<afp:AttributeFilterPolicyGroup>
<config:AttributeFilter type="XML"> |
| Code Block | ||||
|---|---|---|---|---|
| ||||
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/> |
see the current an example attribute policy file The best example to this point is the file shipped with the software.