Note |
---|
This feature will be is available with in V3.4 and later of the software. |
Table of Contents |
---|
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<saml:Attribute Name="http://shibboleth.net/ns/profiles/defaultAuthenticationMethods" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue>http://example.org/ac/classes/mfa</saml:AttributeValue> </saml:Attribute> <!-- The disallowedFeatures setting is a bitmask, and 0x1 blocks SPs requesting authentication types. --> <saml:Attribute Name="http://shibboleth.net/ns/profiles/disallowedFeatures" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue>0x1</saml:AttributeValue> </saml:AttributeAttribute> |
Interceptor Flows
Triggering consent based on the SP is pretty common.
...
Code Block |
---|
<AttributeFilterPolicy id="Per-Attribute-singleValued"> <PolicyRequirementRule xsi:type="ANY"/> <AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="EntityAttributeExactMatch" attributeName="http://shibboleth.net/ns/attributes/releaseAllValues" attributeNamespaceattributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="eduPersonPrincipalName" /> </AttributeRule> <AttributeRule attributeID="mail"> <PermitValueRule xsi:type="EntityAttributeExactMatch" attributeName="http://shibboleth.net/ns/attributes/releaseAllValues" attributeNamespaceattributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="mail" /> </AttributeRule> </AttributeFilterPolicy> |
...