Versions Compared

Old Version 12

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 13

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The InEntityGroup type is a PolicyRule that returns true if the Name of any of the surrounding <EntitiesDescriptor> metadata of the requester matches the supplied parameter. This replaces the (deprecated) saml:AttributeRequesterInEntityGroup type from V2.

As of V3.4, this is extended to include a matching <AffiliationDescriptor> membership.

...

The InEntityGroup  type is defined by defined in the urn:mace:shibboleth:2.0:afp schema, afp namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd.Prior to release 3.2.0 the 

The deprecated saml:InEntityGroup  type is defined by defined in the urn:mace:shibboleth:2.0:afp:mf:saml  namespace, the schema , for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-saml.xsd.

Use of that namespace is deprecated, but is supported.

Attributes

One attribute must be specified:

  • groupID: a
    • A required attribute that specifies the <EntitiesDescriptor> Name to match against (or in V3.4 and up, a matching <AffiliationDescriptor>)

Child Elements

None

Example

Apply this rule if the entity for the SP is included in an <EntitiesDescriptor> or <AffiliationDescriptor> named urn:mace:example.org

Code Block
languagexml
<PolicyRequirementRule xsi:type="InEntityGroup" groupID="urn:mace:example.org"/>

...