...
Identified by type="XML", this AttributeFilter implements an XML-based rule syntax for filtering attributes that was forked off from the original filtering language that was designed for the Identity Provider software. The best link to it for the moment is to the old docs because the V3+ language has significantly drifted
As of V3.1, a serious attempt has been made to rationalize the language to better align to what is currently supported by the V4 IdP. Further details on the differences are outlined below.
| Table of Contents |
|---|
This filter's configuration is implemented as a reloadable XML resource, which means that the XML content can be supplied inline, in a local file, or a remote file, and can be monitored for changes and reloaded on the fly. The root of the XML in any of those cases MUST be an <afp:AttributeFilterPolicyGroup> element, either as a child element in an existing file or the root of a different file (usually the latter).
General Configuration
Not a lot, this continues to point back to the old V2 IdP software docs for the moment. The main point of divergence with the V3 IdP is the collapsing of namespaces and shortening of some of the function plugin names, which was not backported to the SP.
Reference
This page refers to several different namespaces by convention as detailed below:
...
Namespace
...
URI
...
Description
...
The language in SP V3.0 (and prior) was generally similar to that of the V2 Identity Provider. V3.1 has been updated with changes that bring the language largely into alignment with the V4 IdP, including the deprecation (and eventual elimination) of the additional "basic" and "saml" namespaces, the shortening of many plugin names, and some additional (though generally minor) functionality.
The match is not exact because not every IdP feature can be supported in the SP and there are features needed in the SP that aren't relevant to the IdP.
As of V3.1, only the "top-level" namespace, "urn:mace:shibboleth:2.0:afp" is needed in policies, and warnings are logged when the other two namespaces are encountered.
...
urn:mace:shibboleth:2.0:afp:mf:basic
...
conf...
Supported Plugin Types
The following policy and attribute rule function types are supported. Unless otherwise noted, the syntax should be assumed to be identical to the IdP version where applicable.
Reference
Attributes
Aside from the type="XML" attribute itself, there is no other attribute content specific to this plugin type.
...
| Include Page | ||||
|---|---|---|---|---|
|
Examples
| Code Block | ||||
|---|---|---|---|---|
| ||||
<config:AttributeFilter type="XML">
<afp:AttributeFilterPolicyGroup>
<!-- Shared rule for affiliation values. -->
<afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
<basic:Rule xsi:type="basic:AttributeValueString" value="faculty"/>
<basic:Rule xsi:type="basic:AttributeValueString" value="student"/>
<basic:Rule xsi:type="basic:AttributeValueString" value="staff"/>
<basic:Rule xsi:type="basic:AttributeValueString" value="alum"/>
<basic:Rule xsi:type="basic:AttributeValueString" value="member"/>
<basic:Rule xsi:type="basic:AttributeValueString" value="affiliate"/>
<basic:Rule xsi:type="basic:AttributeValueString" value="employee"/>
<basic:Rule xsi:type="basic:AttributeValueString" value="library-walk-in"/>
</afp:PermitValueRule>
<afp:AttributeFilterPolicyGroup>
<config:AttributeFilter type="XML"> |
| Code Block | ||||
|---|---|---|---|---|
| ||||
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/> |
The best example to this point is the file shipped with the software.