The Shibboleth IdP V4 software will leave support on September 1, 2024.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 7 Current »

Namespace: urn:mace:shibboleth:2.0:afp
Schema: http://shibboleth.net/schema/idp/shibboleth-afp.xsd

Overview

The IssuerInEntityGroup type is a PolicyRule that returns true if the Name of any of the surrounding <EntitiesDescriptor> metadata of the issuer matches the supplied parameter or whether the entity's metadata contains a matching <AffiliationDescriptor> .

Membership in a group is rarely an effective way of making policy decisions because hierarchies are inherently limiting and metadata sources tend not to align well to policy.

In general, base your attribute release policy on the characteristics of entity metadata only: the entityID, entity attributes, and registration info. Avoid policy based on the characteristics of the aggregate itself. If you do rely on groups, prefer the <AffiliationDescriptor> mechanism which allows group membership to be separate from the entities themselves.

Reference

Example

Apply this rule if the entity for the IdP is included in an <EntitiesDescriptor> or <AffiliationDescriptor> named urn:mace:example.org

<PolicyRequirementRule xsi:type="IssuerInEntityGroup" groupID="urn:mace:example.org" checkAffiliatons="true"/>


  • No labels