The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

Overview

The InEntityGroup type is a PolicyRule that returns true if the Name of any of the EntitiesDescriptors that the entity of the requester is in matches the supplied parameter. This replaces the (deprecated) saml:AttributeRequesterInEntityGroup type from V2.

Membership in a InEntityGroup is rarely an effective way of making policy decisions. In general, base your attribute release policy on the characteristics of entity metadata only: SP entityID, entity attributes, and registration info. Avoid policy based on the characteristics of the aggregate itself.

Schema Name

The InEntityGroup  type is defined by the urn:mace:shibboleth:2.0:afp schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd.

Prior to release 3.2.0 the saml:InEntityGroup  type is defined by the urn:mace:shibboleth:2.0:afp:mf:saml schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-saml.xsd.

Use of that namespace is deprecated, but is supported.

Attributes

One attribute must be specified

  • groupID : a required attribute that specifies the EntitiesDescriptor Name to match against.

Child Elements

None

Example

<PolicyRequirementRule xsi:type="InEntityGroup" groupID="urn:example.org"/>

 

Apply this rule if the entity for the SP is included in an EntitiesDescriptor with Name "urn:example.org".

 

  • No labels