Overview
The InEntityGroup
type is a PolicyRule that returns true if the Name of any of the EntitiesDescriptors that the entity of the requester is in matches the supplied parameter. This replaces the (deprecated) saml:AttributeRequesterInEntityGroup
type from V2.
Membership in a InEntityGroup
is rarely an effective way of making policy decisions. In general, base your attribute release policy on the characteristics of entity metadata only: SP entityID, entity attributes, and registration info. Avoid policy based on the characteristics of the aggregate itself.
Schema Name
The InEntityGroup
type is defined by the urn:mace:shibboleth:2.0:afp
schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd.
Prior to release 3.2.0 the saml:InEntityGroup
type is defined by the urn:mace:shibboleth:2.0:afp:mf:saml
schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-saml.xsd.
Use of that namespace is deprecated, but is supported.
Attributes
One attribute must be specified
groupID
: a required attribute that specifies the EntitiesDescriptor Name to match against.
Child Elements
None
Example
<PolicyRequirementRule xsi:type="InEntityGroup" groupID="urn:example.org"/>