Overview
The AND type (basic:AND prior to V3.2.0) is one of a very few filier plugin types which can function as a PolicyRule or a Matcher. It takes its behavior from its location. If it is defined within a <PolicyRequirementRule> (either directly or as a child of other logical operations), then it acts as a PolicyRule, otherwise it acts as a Matcher.
Schema Type and Location
The type itself is defined within the urn:mace:shibboleth:2.0:afp namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd
A deprecated version of this type is defined within the urn:mace:shibboleth:2.0:afp:mf:basic namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-basic.xsd
Reference
Attributes
None
Child Elements
At least one <Rule> element must be present (these are interpreted as either <PolicyRequirementRule> or <PermitValueRule>/<DenyValueRule> based on the context).
If the deprecated basic:AND form is used, then at least two <basic:Rule> child elements must be present.
PolicyRule Semantics
When used as a PolicyRule, the result is the logical AND of the evaluation of the child rules.
Example
The example reads "Only apply this rule when someone has logged in as jsmith and the SP is named 'https://sp.example.org'."
<PolicyRequirementRule xsi:type="AND"> <Rule xsi:type="Requester" value="https://sp.example.org" /> <Rule xsi:type="PrincipalName" value="jsmith" /> </PolicyRequirementRule>
Matcher Semantics
When used as a Matcher, the allow or deny set result is the intersection of all sets resulting from the child rules (that is, it is the set of items which is common to the results of all child rules).
Example
The example reads "Only release those values for the attribuite 'uid' which match both the regular expressions (starting with jsmi and end with th)."
<AttributeRule attributeID="uid">
<PermitValueRule xsi:type="AND">
<Rule xsi:type="ValueRegex" regex="^jsmit.*$" />
<Rule xsi:type="ValueRegex" regex="^.*th$" />
</PermitValueRule>
</AttributeRule>