...
RuleType | PolicyRule or Matcher | Function |
---|---|---|
| PolicyRule | Logically TRUE |
Matcher | Set Unity | |
| PolicyRule | Logical AND |
Matcher | Set Intersection | |
OR | PolicyRule | Logical OR |
Matcher | Set Union | |
| PolicyRule | Logical NOT |
Matcher | Set Inversion | |
Predicate | PolicyRule | Call an externally-defined predicate |
| PolicyRule | Compare the attribute recipient's name (typically an SP's entityID) to a string |
| PolicyRule | Compare a proxied attribute recipient's name (typically an SP's entityID) to a string |
| PolicyRule | Compare the attribute issuer's name (typically the IdP's entityID) to a string |
| PolicyRule | Compare the principal name to a string |
AuthenticationMethod | PolicyRule | Compare the authentication method to a string |
Value Value | Matcher, or PolicyRule if | Compare attribute values to a string |
| Matcher, or PolicyRule if attributeID specified | Compare the scope of a Scoped attribute value to a string |
| PolicyRule | Match a proxied attribute recipient's name (typically an SP's entityID) to a regular expression |
| PolicyRule | Match the attribute recipient's name (typically an SP's entityID) to a regular expression |
| PolicyRule | Match the attribute issuer's name (typically the IdP's entityID) to a regular expression |
| PolicyRule | Match the principal name to a regular expression |
| PolicyRule | Match the authentication method to a regular expression |
| Matcher, or PolicyRule if attributeID specified | Match attribute values to a regular expression |
| Matcher, or PolicyRule if attributeID specified | Match the scopes of scoped attribute values to a regular expression |
| Both | Use a Java scripting language to implement a custom PolicyRule or Matcher |
| PolicyRule | Count the number of values for the specified Attribute |
| PolicyRule | Exact match against <mdattr:EntityAttributes> extension attributes ("tags") found in an attribute recipient's SAML metadata |
| PolicyRule | Regular expression match against <mdattr:EntityAttributes> extension attributes ("tags") found in an attribute recipient's SAML metadata |
| PolicyRule | Compare against |
| PolicyRule | Check the attribute recipient's SAML metadata for a matching <EntitiesDescriptor> |
AttributeValueMatchesShibMDScope AttributeIssuerRegistrationAuthority | Not implemented | |
| PolicyRule | Match against the <rpi:RegistrationInfo> extension in an attribute recipient's SAML metadata |
| Matcher | Match attribute values against <RequestedAttribute> elements associated with an <AttributeConsumingService> in an attribute recipient's SAML metadata, using just in time conversion |
| Matcher | Match attribute values against <RequestedAttribute> elements associated with an <AttributeConsumingService> in an attribute recipient's SAML metadata, after having applied an attribute decoding/mapping translation from SAML into internal IdPAttribute form |