Versions Compared

Old Version 14

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 15

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

The The AND type (basic:AND prior to 3V3.2.0)  type is one of a very few filier plugin types which can function as a PolicyRule or as a Matcher.  It It takes its behavior from its location.  If If it is defined within a <PolicyRequirementRule> (either directly or as a child of other logical operations), then it acts as a PolicyRule, otherwise it acts as a Matcher.

It is much the more usual case that the basic:AND type acts as a PolicyRule.

Schema Names

...

Schema Type and Location

The type itself is defined within the urn:mace:shibboleth:2.0:afp schema namespace, the schema for which can be located at at http://shibboleth.net/schema/idp/shibboleth-afp.xsd.

Prior to that, the elements and types defined by page and its children are defined in one of two schema

...

A deprecated version of this type is defined within the urn:mace:shibboleth:2.0:afp:mf:basic

...

namespace, the schema for which can be located

...

at http://shibboleth.net/schema/idp/shibboleth-afp-mf-basic.xsd

...

Use of these namespaces is deprecated, but is supported.

Reference

Attributes

None

Child Elements

...

Rules of type basic:AND must have at least one (two in releases prior to 3.2) child <basic:Rule> elements The precise behaviour of each child element is defined by their xsi:type, being one of the Common Types.

PolicyRule Semantics

...

At least one <Rule> element must be present (these are interpreted as either <PolicyRequirementRule> or <PermitValueRule>/<DenyValueRule> based on the context).

If the deprecated basic:AND form is used, then at least two <basic:Rule> child elements must be present.

PolicyRule Semantics

When used as a PolicyRule, the result is the logical and AND of the evaluation of the child rules.  The child rules should be of type PolicyRule.  Matchers are converted as described here.

Example

Example

The example reads "Only apply this rule when someone has logged in as jsmith and the SP is named 'https://sp.example.org'."

Code Block
languagexml
<PolicyRequirementRule xsi:type="AND">
   <Rule xsi:type="AttributeRequesterStringRequester" value="https://sp.example.org" />
   <Rule xsi:type="PrincipalNameStringPrincipalName" value="jsmith" />
</PolicyRequirementRule>

"Only apply this rule when someone has logged in as jsmith and the SP is https://sp.example.org".

Matcher Semantics

As When used as a Matcher, the allow or deny set result is the intersection of all sets resulting from the child rules (that is, it is the set of items which is common to the results of all child rules). The child rules should be of type Matcher.  Policy rules are converted as described here.

...

Example

The example reads "Only release those values for the attribuite 'uid' which match both the regular expressions (starting with jsmi and end with th)."

Code Block
languagexml
<AttributeRule attributeID="uid">
  <PermitValueRule xsi:type="AND">
     <Rule xsi:type="AttributeValueRegexValueRegex" regex="^jsmit.*$" />
     <Rule xsi:type="AttributeValueRegexValueRegex" regex="^.*th$" />
  </PermitValueRule>
</AttributeRule>

...