Versions Compared

Old Version 4

changes.mady.by.user Rod Widdowson

Saved on

compared with

New Version Current

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

Each An <AttributeRule> defines a filter operation to be applied to the values of one specified specific attribute.

Each rule is either a permit rule, in which case the filtered values are added to the permit list as described here or , or a deny rule, in which case the filtered attributes are added to the deny list as described.

Examples

Code Block
languagexml
<AttributeRule attributeID="eduPersonPrincipalName">
    <PermitValueRule xsi:type="Value" value="jsmith" ignoreCase="true" />
</AttributeRule>

Reference

Schema Name

 

Elements and types described in this page and its children are defined by the (see here).

Schema Name and Location

The element itself is defined within the urn:mace:shibboleth:2.0:afp  (afp:) schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd.

In addition, IdP versions prior to 3.2.0 used the following schemas. 

...

namespace, the schema for which can be located

...

at http://shibboleth.net/schema/idp/shibboleth-afp

...

.xsd

...

Use of these schemas is still supported ifrom V3.2.0, but not required.  Types defined in these two schemas, have corresponding types, with the same, or a truncated version of the name.  The full tables of legacy to current mapping  is given here.

 

The actual plugin types used are defined in namespaces specific to those types (though in practice they are now defined within the same namespace, or a pair of legacy namespaces in older versions, as described throughout this documentation).

Reference

Attributes

NameTypeDescription
attributeIDStringThis required attributes specifies the
attribute
IdPAttribute name (as defined by
an AttributeDefinition statement in the attribute-resolver.xml filepermitAnyboolean
an <AttributeDefinition> plugin in the AttributeResolverConfiguration). Note, this is the internal name of the IdPAttribute "private" to the IdP and not anything to do with the name of a formalized SAML Attribute.
permitAnyBoolean

If this is present and

is

set to "true", then there no child elements

should be provided and the entire statement

used, and is shorthand for:

<AttributeRule attributeID="...">
   <PermitValueRule xsi:type="ANY" />
</AttributeRule>

Child Elements

...

NameCardinalityDescription
<PermitValueRule> or <DenyValueRule>1The permit or deny rule to apply to the specified attribute's values.

The child element must have a plugin xsi:type specified, usually one of the Common Types.This rule should be of a matcher type.  If it is of PolicyRule type , generally a Matcher. If a PolicyRule plugin is used, then it will be converted as described here.

Examples

Code Block
languagexml
<AttributeRule attributeID="eduPersonScopedAffiliation">
    <PermitValueRule xsi:type="Value" value="student" ignoreCase="true" />
</AttributeRule>