Versions Compared

Old Version 13

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 14

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note

Membership in a InEntityGroup is rarely an effective way of making policy decisions. In general, base your attribute release policy on the characteristics of entity metadata only: SP entityID, entity attributes, and registration info. Avoid policy based on the characteristics of the aggregate itself. If you do rely on groups, use the <AffiliationDescriptor> mechanism, supported in V3.4 and up.

Schema

...

Type and Location

The InEntityGroup  type is defined in the urn:mace:shibboleth:2.0:afp namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd

The deprecated saml:InEntityGroup type is defined in the urn:mace:shibboleth:2.0:afp:mf:saml namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-saml.xsd

Reference

Attributes

...

One attribute must be specified:

...

NameTypeReq?DefaultDescription
groupID                   StringY
The<EntitiesDescriptor> Name to match against (or in V3.4

...

+, a matching <AffiliationDescriptor>)
checkAffiliations 3.4Boolean
falseWhether to check metadata for <AffiliationDescriptor>-based matches

Child Elements

None

Example

Apply this rule if the entity for the SP is included in an <EntitiesDescriptor> or <AffiliationDescriptor> named urn:mace:example.org

...