...
RuleType | PolicyRule or Matcher | Function | |
---|---|---|---|
| PolicyRule | Logically TRUE | |
Matcher | Set Unity | ||
| PolicyRule | Logical AND | |
Matcher | Set Intersection | ||
OR | PolicyRule | Logical OR | |
Matcher | Set Union | ||
| PolicyRule | Logical NOT | |
Matcher | Set Inversion | ||
Predicate | PolicyRule | Call an externally-defined predicate | |
| PolicyRule | Compare the attribute recipient's name (typically an SP's entityID) to a string | |
| PolicyRule | Compare a proxied attribute recipient's name (typically an SP's entityID) to a string | |
| PolicyRule | Compare the attribute issuer's name (typically the IdP's entityID) to a string | |
| PolicyRule | Compare the principal name to a string | |
AuthenticationMethod | PolicyRule | Compare the authentication method to a string | |
Value | Matcher, or PolicyRule if | Compare attribute values to a string | |
| Matcher, or PolicyRule if attributeID specified | Compare the scope of a Scoped attribute value to a string | |
ProxiedRequesterRegex 3.4
| PolicyRule | Match a proxied the attribute recipient's name (typically an SP's entityID) to a regular expression | |
| PolicyRule | Match | thea proxied attribute recipient's name (typically an SP's entityID) to a regular expression |
| PolicyRule | Match the attribute issuer's name (typically the IdP's entityID) to a regular expression | |
| PolicyRule | Match the principal name to a regular expression | |
| PolicyRule | Match the authentication method to a regular expression | |
| Matcher, or PolicyRule if attributeID specified | Match attribute values to a regular expression | |
| Matcher, or PolicyRule if attributeID specified | Match the scopes of scoped attribute values to a regular expression | |
| Both | Use a Java scripting language to implement a custom PolicyRule or Matcher | |
| PolicyRule | Count the number of values for the specified Attribute | |
| PolicyRule | Exact match against <mdattr:EntityAttributes> extension attributes ("tags") found in an attribute recipient's SAML metadata | |
| PolicyRule | Regular expression match against <mdattr:EntityAttributes> extension attributes ("tags") found in an attribute recipient's SAML metadata | |
| PolicyRule | Compare against | |
| PolicyRule | Check the attribute recipient's SAML metadata for a matching <EntitiesDescriptor> | |
AttributeValueMatchesShibMDScope AttributeIssuerRegistrationAuthority | Not implemented | ||
| PolicyRule | Match against the <rpi:RegistrationInfo> extension in an attribute recipient's SAML metadata | |
| Matcher | Match attribute values against <RequestedAttribute> elements associated with an <AttributeConsumingService> in an attribute recipient's SAML metadata, using just in time conversion | |
| Matcher | Match attribute values against <RequestedAttribute> elements associated with an <AttributeConsumingService> in an attribute recipient's SAML metadata, after having applied an attribute decoding/mapping translation from SAML into internal IdPAttribute form |