New in Shibboleth 21.3.01, ARP Constraints allow the decision to release a given attribute (or group of attributes) to a service provider to be based on the value(s) of other attributes. These constraints were added to address two general use cases:
...
Code Block |
---|
|
<AttributeReleasePolicy>
<Rule>
<!--Release affiliation only for authorized users -->
<Constraint attributeName="eduPersonEntitlement">urn:x:foo</Constraint>
<Target>
<Requester>https://example.com/shibboleth-sp</Requester>
</Target>
<Attribute name="eduPersonAffiliation">
<AnyValue release="permit" />
</Attribute>
</Rule>
</AttributeReleasePolicy>
|
...
(method 1, permit release if IsFerpaSuppressed is false)
Code Block |
---|
|
<!-- method 1 -->
<Rule>
<!--Release attrs to ServiceX if IsFerpaSuppressed is false -->
<Constraint name="myeduIsFerpaSuppressed">false</Constraint>
<Target>
<Requester>https://example.com/shibboleth-sp</Requester>
</Target>
<Attribute name="displayName">
<AnyValue release="permit" />
</Attribute>
</Rule>
|
(method 2, deny release if IsFerpaSuppressed is true)
Code Block |
---|
|
<!-- method 2 -->
<Rule>
<!--Release attrs to ServiceX unless IsFerpaSuppressed is true -->
<Constraint name="myeduIsFerpaSuppressed" matches="none">true</Constraint>
<Target>
<Requester>https://example.com/shibboleth-sp</Requester>
</Target>
<Attribute name="displayName">
<AnyValue release="permit" />
</Attribute>
</Rule>
|
(method 3, deny release if IsFerpaSuppressed is populated with any value)
Code Block |
---|
|
<!-- method 3 -->
<Rule>
<!--Release attrs to ServiceX unless IsFerpaSuppressed is populated -->
<Constraint name="myeduIsFerpaSuppressed" matchFunction="urn:mace:shibboleth:arp:matchFunction:anyValueMatch" matches="none" />
<Target>
<Requester>https://example.com/shibboleth-sp</Requester>
</Target>
<Attribute name="displayName">
<AnyValue release="permit" />
</Attribute>
</Rule>
</AttributeReleasePolicy>
|
...
Code Block |
---|
|
<Constraint name="foo"
matchFunction="urn:mace:shibboleth:arp:matchFunction:anyValueMatch"
matches="any" />
|
Must not have an attribute
...
Code Block |
---|
|
<Constraint name="foo"
matchFunction="urn:mace:shibboleth:arp:matchFunction:anyValueMatch"
matches="none" />
|
Must have a specific attribute value
...
Code Block |
---|
|
<Constraint name="eduPersonScopedAffiliation"
matchFuntion="urn:mace:shibboleth:arp:matchFunction:regexMatch">.*@example\.edu</Constraint>
|
...
Code Block |
---|
|
<Constraint name="eduPersonAffiliation"
matchFuntion="urn:mace:shibboleth:arp:matchFunction:regexMatch">(faculty|staff)</Constraint>
|
...