Overview
Each <AttributeRule>
defines a filter operation to be applied to the values one specified attribute.
Each rule is either a permit rule in which case the filtered values are added to the permit list as described here or a deny rule in which case the filtered attributes are added to the deny list as described.
Examples
<AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="Value" value="jsmith" ignoreCase="true" /> </AttributeRule>
Reference
Schema Name
Elements and types described in this page and its children are defined by the urn:mace:shibboleth:2.0:afp
(afp:
) schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd.
In addition, IdP versions prior to 3.2.0 used the following schemas.
- by the
urn:mace:shibboleth:2.0:afp:mf:basic
(basic:
) schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-basic.xsd. - by the
urn:mace:shibboleth:2.0:afp:mf:saml
(saml:
) schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-saml.xsd.
Use of these schemas is still supported ifrom V3.2.0, but not required. Types defined in these two schemas, have corresponding types, with the same, or a truncated version of the name. The full tables of legacy to current mapping is given here.
Attributes
Name | Type | Description |
---|---|---|
attributeID | String | This required attributes specifies the attribute name (as defined by an AttributeDefinition statement in the attribute-resolver.xml file |
permitAny | boolean | If this is present and is "true", then there no child elements should be provided and the entire statement is shorthand for <AttributeRule attributeID="..."> <PermitValueRule xsi:type="ANY" /> |
Child Elements
One of the either <DenyValueRule>
or <PermitValueRule>
is specified as a child element. These elements must have a type specified by the xsi:type being one of the Common Types.
This rule should be of a matcher type. If it is of PolicyRule type then it will be converted as described here.