Overview
The The AND
type (basic:AND
prior to 3V3.2.0) type is one of a very few filier plugin types which can function as a PolicyRule or as a Matcher. It It takes its behavior from its location. If If it is defined within a a <PolicyRequirementRule>
(either directly or as a child of other logical operations), then it acts as a PolicyRule, otherwise it acts as a Matcher.
It is much the more usual case that the basic:AND
type acts as a PolicyRule.
Schema Names
...
Schema Type and Location
The type itself is defined within the urn:mace:shibboleth:2.0:afp
schema namespace, the schema for which can be located at at http://shibboleth.net/schema/idp/shibboleth-afp.xsd.
Prior to that, the elements and types defined by page and its children are defined in one of two schema
...
A deprecated version of this type is defined within the urn:mace:shibboleth:2.0:afp:mf:basic
...
namespace, the schema for which can be located
...
at http://shibboleth.net/schema/idp/shibboleth-afp-mf-basic.xsd
...
Use of these namespaces is deprecated, but is supported.
Reference
Attributes
None
Child Elements
...
Rules of type basic:AND
must have at least one (two in releases prior to 3.2) child <basic:Rule>
elements.
The precise behaviour of each child element is defined by their xsi:type,
being one of the Common Types.
PolicyRule Semantics
...
At least one <Rule>
element must be present (these are interpreted as either <PolicyRequirementRule>
or <PermitValueRule>
/<DenyValueRule>
based on the context).
If the deprecated basic:AND
form is used, then at least two <basic:Rule>
child elements must be present.
PolicyRule Semantics
When used as a PolicyRule, the result is the logical and AND of the evaluation of the child rules. The child rules should be of type PolicyRule. Matchers are converted as described here.
Example
Example
The example reads "Only apply this rule when someone has logged in as jsmith and the SP is named 'https://sp.example.org'."
Code Block | ||
---|---|---|
| ||
<PolicyRequirementRule xsi:type="AND"> <Rule xsi:type="AttributeRequesterStringRequester" value="https://sp.example.org" /> <Rule xsi:type="PrincipalNameStringPrincipalName" value="jsmith" /> </PolicyRequirementRule> |
"Only apply this rule when someone has logged in as jsmith and the SP is https://sp.example.org".
Matcher Semantics
As When used as a Matcher, the allow or deny set result is the intersection of all sets resulting from the child rules (that is, it is the set of items which is common to the results of all child rules). The child rules should be of type Matcher. Policy rules are converted as described here.
...
Example
The example reads "Only release those values for the attribuite 'uid' which match both the regular expressions (starting with jsmi and end with th)."
Code Block | ||
---|---|---|
| ||
<AttributeRule attributeID="uid"> <PermitValueRule xsi:type="AND"> <Rule xsi:type="AttributeValueRegexValueRegex" regex="^jsmit.*$" /> <Rule xsi:type="AttributeValueRegexValueRegex" regex="^.*th$" /> </PermitValueRule> </AttributeRule> |
...