Versions Compared

Old Version 7

changes.mady.by.user Rod Widdowson

Saved on

compared with

New Version Current

changes.mady.by.user Rod Widdowson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note

Membership in a group is rarely an effective way of making policy decisions because hierarchies are inherently limiting and metadata sources tend not to align well to policy.

In general, base your attribute release policy on the characteristics of entity metadata only: the entityID, entity attributes, and registration info. Avoid policy based on the characteristics of the aggregate itself. If you do rely on groups, prefer the <AffiliationDescriptor> mechanism which allows group membership to be separate from the entities themselves.

Reference

...

XML Attributes

Name

Type

Req?

Default

Description

groupID

String

Y

The <EntitiesDescriptor> Name to match against, or a matching <AffiliationDescriptor>

checkAffiliations

Boolean

false

Whether to check metadata for <AffiliationDescriptor>-based matches

Example

Apply this rule if the entity for the IdP is included in an <EntitiesDescriptor> or <AffiliationDescriptor> named urn:mace:example.org

...