...
The InEntityGroup
type is a PolicyRule that returns true if the Name of any of the surrounding <EntitiesDescriptor>
metadata of the requester matches the supplied parameter. This replaces the (deprecated) saml:AttributeRequesterInEntityGroup
type from V2.
As of V3.4, this is extended to include a matching <AffiliationDescriptor>
membership.
...
The InEntityGroup
type is defined by defined in the urn:mace:shibboleth:2.0:afp
schema, afp
namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd.Prior to release 3.2.0 the
The deprecated saml:InEntityGroup
type is defined by defined in the urn:mace:shibboleth:2.0:afp:mf:saml
namespace, the schema , for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-saml.xsd.
Use of that namespace is deprecated, but is supported.
Attributes
One attribute must be specified:
groupID
: a- A required attribute that specifies the
<EntitiesDescriptor>
Name to match against (or in V3.4 and up, a matching<AffiliationDescriptor>
)
- A required attribute that specifies the
Child Elements
None
Example
Apply this rule if the entity for the SP is included in an <EntitiesDescriptor>
or <AffiliationDescriptor>
named urn:mace:example.org
Code Block | ||
---|---|---|
| ||
<PolicyRequirementRule xsi:type="InEntityGroup" groupID="urn:mace:example.org"/> |
...