Overview
The OR
type (basic:OR
prior prior to 3V3.2.0) type is one of a very few filier plugin types which can function as a PolicyRule or as a Matcher. It It takes its behavior from its location. If If it is defined within a a <PolicyRequirementRule>
(either directly or as a child of other logical operations), then it acts as a PolicyRule, otherwise it acts as a Matcher.
It is much the more usual case that the OR
type acts as a PolicyRule.
Schema Names
...
Schema Type and Location
The type itself is defined within the urn:mace:shibboleth:2.0:afp
schema namespace, the schema for which can be located at at http://shibboleth.net/schema/idp/shibboleth-afp.xsd.
Prior to that, the elements and types defined by page and its children are defined in one of two schema
...
A deprecated version of this type is defined within the urn:mace:shibboleth:2.0:afp:mf:basic
...
namespace, the schema for which can be located
...
at http://shibboleth.net/schema/idp/shibboleth-afp-mf-basic.xsd
...
Use of these namespaces is deprecated, but is supported.
Reference
Attributes
None
Child Elements
Rules of type basic:OR
must have at least one (two in releases prior to 3.2) child <basic:Rule>
elements. The precise behaviour of each child element is defined by their xsi:type,
being one of the Common TypesAt least one <Rule>
element must be present (these are interpreted as either <PolicyRequirementRule>
or <PermitValueRule>
/<DenyValueRule>
based on the context).
If the deprecated basic:OR
form is used, then at least two <basic:Rule>
child elements must be present.
PolicyRule Semantics
As When used as a PolicyRule, the result is the logical 'or' OR of the evaluation of the child rules. The child rules should be of type PolicyRule. Matchers are converted as described here.
...
Example
The example means that the rule is applied if:
- The principal is jsmith or
- The SP is named https://sp.example.org or
- The SP is named https://sp2.example.org
Code Block | ||
---|---|---|
| ||
<PolicyRequirementRule xsi:type="OR"> <Rule xsi:type="AttributeRequesterRequester" value="https://sp.example.org" /> <Rule xsi:type="AttributeRequesterRequester" value="https://sp2.example.org" /> <Rule xsi:type="PrincipalName" value="jsmith" /> </PolicyRequirementRule> |
Apply this rule if
- The principal is jsmith or
- The RP is https://sp.example.org or
- The RP is https://sp2.example.org
Matcher Semantics
As When used as a Matcher, the allow or deny set result is the (set) union of all sets resulting from the child rules (that is, it is the set of all the items resulting from all items in the results of any of the child rules). The child rules should be of type Matcher. Policy rules are converted as described here.
...
Example
The example reads "Release those values for the attribuite 'uid' which match either of the regular expressions (starting with jsmi or ending with th)."
Code Block | ||
---|---|---|
| ||
<AttributeRule attributeID="uid"> <PermitValueRule xsi:type="OR"> <Rule xsi:type="ValueRegex" regex="^jsmit.*$" /> <Rule xsi:type="ValueRegex" regex="^.*th$" /> </PermitValueRule> </AttributeRule> |
...