Versions Compared

Old Version 7

changes.mady.by.user Rod Widdowson

Saved on

compared with

New Version 8

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

The OR type (basic:OR prior prior to 3V3.2.0) type is one of a very few filier plugin types which can function as a PolicyRule or as a Matcher.  It It takes its behavior from its location.  If If it is defined within a <PolicyRequirementRule> (either directly or as a child of other logical operations), then it acts as a PolicyRule, otherwise it acts as a Matcher.

It is much the more usual case that the OR type acts as a PolicyRule.

Schema Names

...

Schema Type and Location

The type itself is defined within the urn:mace:shibboleth:2.0:afp schema namespace, the schema for which can be located at at http://shibboleth.net/schema/idp/shibboleth-afp.xsd.

Prior to that, the elements and types defined by page and its children are defined in one of two schema

...

A deprecated version of this type is defined within the urn:mace:shibboleth:2.0:afp:mf:basic

...

namespace, the schema for which can be located

...

at http://shibboleth.net/schema/idp/shibboleth-afp-mf-basic.xsd

...

Use of these namespaces is deprecated, but is supported.

Reference

Attributes

None

Child Elements

Rules of type basic:OR must have at least one (two in releases prior to 3.2) child <basic:Rule> elements.  The precise behaviour of each child element is defined by their xsi:type, being one of the Common TypesAt least one <Rule> element must be present (these are interpreted as either <PolicyRequirementRule> or <PermitValueRule>/<DenyValueRule> based on the context).

If the deprecated basic:OR form is used, then at least two <basic:Rule> child elements must be present.

PolicyRule Semantics

 As When used as a PolicyRule, the result is the logical 'or' OR of the evaluation of the child rules.  The child rules should be of type PolicyRule. Matchers are converted as described here.

...

Example

The example means that the rule is applied if:

  • The principal is jsmith or
  • The SP is named https://sp.example.org or
  • The SP is named https://sp2.example.org
Code Block
languagexml
<PolicyRequirementRule xsi:type="OR">
   <Rule xsi:type="AttributeRequesterRequester" value="https://sp.example.org" />
   <Rule xsi:type="AttributeRequesterRequester" value="https://sp2.example.org" />
   <Rule xsi:type="PrincipalName" value="jsmith" />
</PolicyRequirementRule>

Apply this rule if

  • The principal is jsmith or
  • The RP is https://sp.example.org or
  • The RP is https://sp2.example.org

Matcher Semantics

As When used as a Matcher, the allow or deny set result is the (set) union of all sets resulting from the child rules (that is, it is the set of all the items resulting from all items in the results of any of the child rules). The child rules should be of type Matcher.  Policy rules are converted as described here.

...

Example

The example reads "Release those values for the attribuite 'uid' which match either of the regular expressions (starting with jsmi or ending with th)."

Code Block
languagexml
<AttributeRule attributeID="uid">
  <PermitValueRule xsi:type="OR">
     <Rule xsi:type="ValueRegex" regex="^jsmit.*$" />
     <Rule xsi:type="ValueRegex" regex="^.*th$" />
  </PermitValueRule>
</AttributeRule>

...