...
- id - a unique identifier for this policy
Code Block |
---|
| xml |
---|
| xml |
---|
title | Example Attribute Filter Policy Definition | xml |
---|
|
<AttributeFilterPolicy id="releaseToAnyone">
<!-- Policy Requirement Rule would go here -->
<!-- Attribute Rules would go here -->
</AttributeFilterPolicy>
|
...
A policy requirement rule is defined with the element <PolicyRequirementRule xsi:type="MATCHING_RULE_TYPE">
. The matching rule type may be any matching rule type.
Code Block |
---|
| xml |
---|
| xml |
---|
title | Example Attribute Filter Policy Definition with Policy Requirement | xml |
---|
|
<AttributeFilterPolicy id="releaseToAnyone">
<PolicyRequirementRule xsi:type="basic:ANY" />
<!-- Attribute Rules would go here -->
</AttributeFilterPolicy>
|
...
- attributeID -attributeID - the case-sensitive ID, as assigned in the attribute resolver, of the attribute to which the rule applies
Code Block |
---|
| xml |
---|
| xml |
---|
title | Example Attribute Filter Policy Definition with Attribute Rulesxml |
---|
|
<AttributeFilterPolicy id="releaseToAnyone">
<PolicyRequirementRule xsi:type="basic:ANY" />
<AttributeRule attributeID="transientId">
<!-- Permit/Deny Rules go here -->
</AttributeRule>
<AttributeRule attributeID="eduPersonAffiliation">
<!-- Permit/Deny Rules go here -->
</AttributeRule>
</AttributeFilterPolicy>
|
...
A deny value rule is defined with the element <DenyValueRule xsi:type="MATCHING_RULE_TYPE">
. The matching rule type may be any matching rule type.
Code Block |
---|
| xml |
---|
| xml |
---|
title | Example Attribute Filter Policy Definition with Attribute Rulesxml |
---|
|
<AttributeFilterPolicy id="releaseToAnyone">
<PolicyRequirementRule xsi:type="basic:ANY" />
<AttributeRule attributeID="transientId">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonAffiliation">
<PermitValueRule xsi:type="basic:OR">
<basic:Rule xsi:type="basic:AttributeValueString" value="faculty" ignoreCase="true"/>
<basic:Rule xsi:type="basic:AttributeValueString" value="student" ignoreCase="true"/>
<basic:Rule xsi:type="basic:AttributeValueString" value="staff" ignoreCase="true"/>
<basic:Rule xsi:type="basic:AttributeValueString" value="alum" ignoreCase="true"/>
<basic:Rule xsi:type="basic:AttributeValueString" value="member" ignoreCase="true"/>
<basic:Rule xsi:type="basic:AttributeValueString" value="affiliate" ignoreCase="true"/>
<basic:Rule xsi:type="basic:AttributeValueString" value="employee" ignoreCase="true"/>
<basic:Rule xsi:type="basic:AttributeValueString" value="library-walk-in" ignoreCase="true"/>
</PermitValueRule>
</AttributeRule>
</AttributeFilterPolicy>
|
...
Note |
---|
Each filter policy group must have a unique ID. If you create a copy of an existing filter file, as the seed for your new file, be sure to change the id attribute on the <AttributeFilterPolicyGroup> element. |
Code Block |
---|
| xml |
---|
| xml |
---|
title | Example Filter Configuration Loading Three Filesxml |
---|
|
<Service id="shibboleth.AttributeFilterEngine"
xmlns="urn:mace:shibboleth:2.0:services"
xsi:type="afp:ShibbolethAttributeFilteringEngine">
<ConfigurationResource file="/opt/shibboleth-idp/conf/attribute-filter.xml" xsi:type="resource:FilesystemResource" />
<ConfigurationResource file="/opt/shibboleth-idp/conf/group-attribute-filter.xml" xsi:type="resource:FilesystemResource" />
<ConfigurationResource file="/opt/shibboleth-idp/conf/user-attribute-filter.xml" xsi:type="resource:FilesystemResource" />
</Service>
|
...