<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<util:map id="shibboleth.AccessControlPolicies">
<!-- Limits who can impersonate based on entitlement. -->
<entry key="GeneralImpersonationPolicy">
<bean parent="shibboleth.PredicateAccessControl">
<constructor-arg>
<bean classparent="net.shibboleth.idp.profile.logic.SimpleAttributePredicateConditions.SimpleAttribute">
<property name="attributeValueMap">
<map>
<entry key="eduPersonEntitlement">
<list>
<value>https://example.org/entitlement/impersonation</value>
</list>
</entry>
</map>
</property>
</bean>
</constructor-arg>
</bean>
</entry>
<!-- Controls the impersonation scenarios to allow. -->
<entry key="SpecificImpersonationPolicy">
<bean parent="shibboleth.PredicateAccessControl">
<constructor-arg>
<bean parent="shibboleth.Conditions.AND">
<constructor-arg>
<bean classparent="net.shibboleth.idp.profile.logic.DynamicAttributePredicateConditions.DynamicAttribute">
<property name="attributeFunctionMap">
<map>
<entry key="impersonatableUsernames">
<list>
<bean parent="shibboleth.ContextFunctions.Expression"
c:expression="#input.getSubcontext(T(org.opensaml.profile.context.AccessControlContext)).getResource()" />
</list>
</entry>
</map>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean classparent="net.shibboleth.idp.profile.logic.DynamicAttributePredicateConditions.DynamicAttribute">
<property name="attributeFunctionMap">
<map>
<entry key="impersonatableServices">
<list>
<bean parent="shibboleth.RelyingPartyIdLookup.Simple" />
</list>
</entry>
</map>
</property>
</bean>
</constructor-arg>
</bean>
</constructor-arg>
</bean>
</entry>
</util:map>
</beans> |