Versions Compared

Old Version 11

changes.mady.by.user David Langenberg

Saved on

compared with

New Version 12

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The InEntityGroup type is a PolicyRule that returns true if the Name of any of the EntitiesDescriptors that the entity surrounding <EntitiesDescriptor> metadata of the requester is in matches the supplied parameter. This replaces the (deprecated) saml:AttributeRequesterInEntityGroup type from V2. As of V3.4, this is extended to include a matching <AffiliationDescriptor> membership.

Note

Membership in a InEntityGroup is rarely an effective way of making policy decisions. In general, base your attribute release policy on the characteristics of entity metadata only: SP entityID, entity attributes, and registration info. Avoid policy based on the characteristics of the aggregate itself. If you do rely on groups, use the <AffiliationDescriptor> mechanism, supported in V3.4 and up.

Schema Name

The InEntityGroup  type is defined by the urn:mace:shibboleth:2.0:afp schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd.

...

  • groupID : a required attribute that specifies the EntitiesDescriptor the <EntitiesDescriptor> Name to match against (or in V3.4 and up, a matching <AffiliationDescriptor>)

Child Elements

None

Example

Code Block
languagexml
<PolicyRequirementRule xsi:type="InEntityGroup" groupID="urn:example.org"/>

...


Apply this rule if the entity for the SP is included in an EntitiesDescriptor an <EntitiesDescriptor> with Name "urn:example.org".