The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

Overview

The InEntityGroup type is a PolicyRule that returns true if the Name of any of the surrounding <EntitiesDescriptor> metadata of the requester matches the supplied parameter. This replaces the (deprecated) saml:AttributeRequesterInEntityGroup type from V2. As of V3.4, this is extended to include a matching <AffiliationDescriptor> membership.

Membership in a InEntityGroup is rarely an effective way of making policy decisions. In general, base your attribute release policy on the characteristics of entity metadata only: SP entityID, entity attributes, and registration info. Avoid policy based on the characteristics of the aggregate itself. If you do rely on groups, use the <AffiliationDescriptor> mechanism, supported in V3.4 and up.

Schema Name

The InEntityGroup  type is defined by the urn:mace:shibboleth:2.0:afp schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd.

Prior to release 3.2.0 the saml:InEntityGroup  type is defined by the urn:mace:shibboleth:2.0:afp:mf:saml schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-saml.xsd.

Use of that namespace is deprecated, but is supported.

Attributes

One attribute must be specified

  • groupID : a required attribute that specifies the <EntitiesDescriptor> Name to match against (or in V3.4 and up, a matching <AffiliationDescriptor>)

Child Elements

None

Example

<PolicyRequirementRule xsi:type="InEntityGroup" groupID="urn:example.org"/>


Apply this rule if the entity for the SP is included in an <EntitiesDescriptor> with Name urn:example.org


  • No labels