Overview
The InEntityGroup
type is a PolicyRule that returns true if the Name of any of the surrounding <EntitiesDescriptor>
metadata of the requester matches the supplied parameter. This replaces the (deprecated) saml:AttributeRequesterInEntityGroup
type from V2. As of V3.4, this is extended to include a matching <AffiliationDescriptor>
membership.
Membership in a InEntityGroup
is rarely an effective way of making policy decisions. In general, base your attribute release policy on the characteristics of entity metadata only: SP entityID, entity attributes, and registration info. Avoid policy based on the characteristics of the aggregate itself. If you do rely on groups, use the <AffiliationDescriptor>
mechanism, supported in V3.4 and up.
Schema Name
The InEntityGroup
type is defined by the urn:mace:shibboleth:2.0:afp
schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd.
Prior to release 3.2.0 the saml:InEntityGroup
type is defined by the urn:mace:shibboleth:2.0:afp:mf:saml
schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-saml.xsd.
Use of that namespace is deprecated, but is supported.
Attributes
One attribute must be specified
groupID
: a required attribute that specifies the<EntitiesDescriptor>
Name to match against (or in V3.4 and up, a matching<AffiliationDescriptor>
)
Child Elements
None
Example
<PolicyRequirementRule xsi:type="InEntityGroup" groupID="urn:example.org"/>
<EntitiesDescriptor>
with Name urn:example.org