Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

  • id - a unique identifier for this policy
Code Block
xml
xml
titleExample Attribute Filter Policy Definitionxml
<AttributeFilterPolicy id="releaseToAnyone">
    <!-- Policy Requirement Rule would go here -->

    <!-- Attribute Rules would go here -->
</AttributeFilterPolicy>

...

A policy requirement rule is defined with the element <PolicyRequirementRule xsi:type="MATCHING_RULE_TYPE">. The matching rule type may be any matching rule type.

Code Block
xml
xml
titleExample Attribute Filter Policy Definition with Policy Requirementxml
<AttributeFilterPolicy id="releaseToAnyone">
    <PolicyRequirementRule xsi:type="basic:ANY" />

    <!-- Attribute Rules would go here -->
</AttributeFilterPolicy>

...

  • attributeID -attributeID - the case-sensitive ID, as assigned in the attribute resolver, of the attribute to which the rule applies
Code Block
xml
xml
titleExample Attribute Filter Policy Definition with Attribute Rulesxml
<AttributeFilterPolicy id="releaseToAnyone">
    <PolicyRequirementRule xsi:type="basic:ANY" />

    <AttributeRule attributeID="transientId">
        <!-- Permit/Deny Rules go here -->
    </AttributeRule>

    <AttributeRule attributeID="eduPersonAffiliation">
        <!-- Permit/Deny Rules go here -->
    </AttributeRule>
</AttributeFilterPolicy>

...

A deny value rule is defined with the element <DenyValueRule xsi:type="MATCHING_RULE_TYPE">. The matching rule type may be any matching rule type.

Code Block
xml
xml
titleExample Attribute Filter Policy Definition with Attribute Rulesxml
<AttributeFilterPolicy id="releaseToAnyone">
    <PolicyRequirementRule xsi:type="basic:ANY" />

    <AttributeRule attributeID="transientId">
        <PermitValueRule xsi:type="basic:ANY" />
    </AttributeRule>

    <AttributeRule attributeID="eduPersonAffiliation">
        <PermitValueRule xsi:type="basic:OR">
            <basic:Rule xsi:type="basic:AttributeValueString" value="faculty" ignoreCase="true"/>
            <basic:Rule xsi:type="basic:AttributeValueString" value="student" ignoreCase="true"/>
            <basic:Rule xsi:type="basic:AttributeValueString" value="staff" ignoreCase="true"/>
            <basic:Rule xsi:type="basic:AttributeValueString" value="alum" ignoreCase="true"/>
            <basic:Rule xsi:type="basic:AttributeValueString" value="member" ignoreCase="true"/>
            <basic:Rule xsi:type="basic:AttributeValueString" value="affiliate" ignoreCase="true"/>
            <basic:Rule xsi:type="basic:AttributeValueString" value="employee" ignoreCase="true"/>
            <basic:Rule xsi:type="basic:AttributeValueString" value="library-walk-in" ignoreCase="true"/>
        </PermitValueRule>
    </AttributeRule>
</AttributeFilterPolicy>

...

Note

Each filter policy group must have a unique ID. If you create a copy of an existing filter file, as the seed for your new file, be sure to change the id attribute on the <AttributeFilterPolicyGroup> element.

Code Block
xml
xml
titleExample Filter Configuration Loading Three Filesxml
<Service id="shibboleth.AttributeFilterEngine"
         xmlns="urn:mace:shibboleth:2.0:services"
         xsi:type="afp:ShibbolethAttributeFilteringEngine">
    <ConfigurationResource file="/opt/shibboleth-idp/conf/attribute-filter.xml" xsi:type="resource:FilesystemResource" />
    <ConfigurationResource file="/opt/shibboleth-idp/conf/group-attribute-filter.xml" xsi:type="resource:FilesystemResource" />
    <ConfigurationResource file="/opt/shibboleth-idp/conf/user-attribute-filter.xml" xsi:type="resource:FilesystemResource" />
</Service>

...