Overview
The Scope
(basic:AttributeScopeString
prior to V3.2) type compares the scope portion of scoped attributes values against the supplied string.
Confusingly, the Scope
type can be a Matcher or a PolicyRequirement.
- If no
attributeID
attribute is specified then it is a Matcher (returning that value if it is present amongst the values' scopes, and the empty set otherwise) - If an
attributeID
attribute is specified then it is a PolicyRule (returning true if that that is present amongst the values' scopes for the specified attribute).
Schema Name
The Scope
type is defined in the urn:mace:shibboleth:2.0:afp
namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd
The deprecated basic:AttributeScopeString
type is defined in the urn:mace:shibboleth:2.0:afp:mf:basic
namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-basic.xsd
Attributes
Three attributes may be specified
Name | Type | Default | Description |
---|---|---|---|
attributeID | String | none | If this is present, then this is a PolicyRule returning true if the matching attribute contains a value with the supplied scope. If this is not present, then this is a Matcher returning that value if it is present amongst the values, and the empty set otherwise. |
value | String | required | The value to match against |
ignoreCase | Boolean | false | Whether the matching is case insensitive |
Child Elements
None
Examples
<PolicyRequirementRule xsi:type="Scope" value="university.edu" attributeID="epsa"/>
Apply this rule if the attribute "epsa" contains a value with scope "university.edu"
<AttributeRule attributeID="epsa"> <PermitValueRule xsi:type="Scope" value="university.edu" ignoreCase="true" /> </AttributeRule>
If any scoped value of the attribute "epsa" has the scope "university.edu" then add it to the permitted values to be release for "uid"
<PolicyRequirementRule xsi:type="Scope" value="university.edu"/>
Apply this rule if any attribute contains a scoped value with scope "university.edu".
<AttributeRule attributeID="email"> <PermitValueRule xsi:type="basic:Scope" value="university.edu" attributeID="epsa"/> </AttributeRule>
If the attribute "epsa" contains a scoped value with scope "university.edu" then release all values of "email" .