Overview
Each <afp:AttributeRule> defines a set of
...
filter operation to be applied to the values one specified attribute.
Each rule is either a permit rule in which case the filtered values are added to the permit list as described here or a deny rule in which case the filtered attributes are added to the deny list as described.
Examples
| Code Block | ||
|---|---|---|
| ||
<afp:AttributeRule attributeID="eduPersonPrincipalName">
<afp:PermitValueRule xsi:type="basic:AttributeValueString" value="jsmith" ignoreCase="true" />
</afp:AttributeRule> |
Reference
Schema Name
Elements and types described in this page and its children are defined in one of three schema
- by the
urn:mace:shibboleth:2.0:afp(afp:) schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd. - by the
urn:mace:shibboleth:2.0:afp:mf:basic(basic:) schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-basic.xsd. - by the
urn:mace:shibboleth:2.0:afp:mf:saml(saml:) schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-saml.xsd.
Attributes
| Name | Type | Description |
|---|---|---|
| attributeID | String | This required attributes specifies the attribute name (as defined by an AttributeDefinition statement in the attribute-resolver.xml file |
| permitAny | boolean | If this is present and is "true", then there no child elements should be provided and the entire statement is shorthand for <afp:AttributeRule attributeID="..."> <afp:PermitValueRule xsi:type="basic:ANY" /> |
Child Elements
One of the either <afp:DenyValueRule> or <afp:PermitValueRule> is specified as a child element. These elements must have a type specified by the xsi:type being one of the Common Types.
This rule should be of a matcher type. If it is of PolicyRule type then it will be converted as described here.