Versions Compared

Version Old Version 4 New Version Current
Changes made by

Jonathan Zhao

Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Reverted from v. 3

...

RuleType

PolicyRule or Matcher

Function


ANY

PolicyRule

Logically TRUE

Matcher

Set Unity


AND

PolicyRule

Logical AND

Matcher 

Set Intersection


OR

PolicyRule

Logical OR

Matcher 

Set Union


NOT

PolicyRule

Logical NOT

Matcher

Set Inversion

Profile

PolicyRule

Compare the active profile identifier to a string

Predicate

PolicyRule

Call an externally-defined predicate

Outbound

PolicyRule

Applies if iff the system is filtering attributes that are being released to an external system (i.e., an SP). This is the "traditional" use of the filtering service.

Inbound

PolicyRule

Applies iff the system is filtering attributes that have been received from an external system (i.e, another IdP).

Requester

PolicyRule

Compare the attribute recipient's name (typically an SP's entityID) to a string

ProxiedRequester

PolicyRule

Compare a proxied attribute recipient's name (typically an SP's entityID) to a string

Issuer

PolicyRule

Compare the attribute issuer's name (typically a proxied IdP's entityID) to a string

PrincipalName

PolicyRule

Compare the principal name to a string

Value

Matcher, or PolicyRule if attributeID specified 

Compare attribute values to a string

Scope

Matcher, or PolicyRule if attributeID specified

Compare the scope of a Scoped attribute value to a string

RequesterRegex

PolicyRule

Match the attribute recipient's name (typically an SP's entityID) to a regular expression

ProxiedRequesterRegex

PolicyRule

Match a proxied attribute recipient's name (typically an SP's entityID) to a regular expression

IssuerRegex

PolicyRule

Match the attribute issuer's name (typically a proxied IdP's entityID) to a regular expression

PrincipalNameRegex

PolicyRule

Match the principal name to a regular expression

ValueRegex

Matcher, or PolicyRule if attributeID specified

Match attribute values to a regular expression

ScopeRegex

Matcher, or PolicyRule if attributeID specified

Match the scopes of scoped attribute values to a regular expression

Script

Both

Use a Java scripting language to implement a custom PolicyRule or Matcher

NumberOfAttributeValues

PolicyRule

Count the number of values for the specified Attribute

EntityAttributeExactMatch

PolicyRule

Exact match against <mdattr:EntityAttributes> extension attributes ("tags") found in an attribute recipient's SAML metadata

EntityAttributeRegexMatch

PolicyRule

Regular expression match against <mdattr:EntityAttributes> extension attributes ("tags") found in an attribute recipient's SAML metadata

IssuerEntityAttributeExactMatch        

PolicyRule

Exact match against <mdattr:EntityAttributes> extension attributes ("tags") found in an attribute issuer's SAML metadata

IssuerEntityAttributeRegexMatch

PolicyRule

Regular expression match against <mdattr:EntityAttributes> extension attributes ("tags") found in an attribute issuer's SAML metadata

ProxiedRequesterEntityAttributeExactMatch

PolicyRule

Exact match against <mdattr:EntityAttributes> extension attributes ("tags") found in a proxied requester's SAML metadata. Exact semantics of a proxy in this sense depend on the profile/protocol in use.

ProxiedRequesterEntityAttributeRegexMatch

PolicyRule

Regular expression match against <mdattr:EntityAttributes> extension attributes ("tags") found in a proxied requester's SAML metadata. Exact semantics of a proxy in this sense depend on the profile/protocol in use.

NameIDFormatExactMatch

PolicyRule

Compare against <NameIDFormat> element's inside the attribute recipient's SAML metadata

IssuerNameIDFormatExactMatch

PolicyRule

Compare against <NameIDFormat> element's inside the attribute issuer's SAML metadata

InEntityGroup

PolicyRule

Check the attribute recipient's SAML metadata for a matching <EntitiesDescriptor> or <AffiliationDescriptor>

IssuerInEntityGroup

PolicyRule

Check the attribute issuer's SAML metadata for a matching <EntitiesDescriptor> or <AffiliationDescriptor>

ProxiedRequesterInEntityGroup

PolicyRule

Check a proxied requester’s SAML metadata for a matching <EntitiesDescriptor> or <AffiliationDescriptor>. Exact semantics of a proxy in this sense depend on the profile/protocol in use.

RegistrationAuthority

PolicyRule

Match against the <rpi:RegistrationInfo> extension in an attribute recipient's SAML metadata

IssuerRegistrationAuthority

PolicyRule

Match against the <rpi:RegistrationInfo> extension in an attribute issuer's SAML metadata

ProxiedRequesterRegistrationAuthority

PolicyRule

Match against the <rpi:RegistrationInfo> extension in a proxied requester’s SAML metadata. Exact semantics of a proxy in this sense depend on the profile/protocol in use.

AttributeInMetadata

Matcher

Match attribute values against <RequestedAttribute> elements associated with an <AttributeConsumingService> in an attribute recipient's SAML metadata

ScopeMatchesShibMDScope

Matcher

Match the scopes of scoped attribute values against the <shibmd:Scope> metadata extension for the Issuer's EntityDescriptor  or appropriate  Role Descriptor.

ValueMatchesShibMDScope

Matcher

Match attribute values against the <shibmd:Scope> metadata extension for the Issuer's EntityDescriptor  or appropriate  Role Descriptor.

...