The Shibboleth IdP V4 software will leave support on September 1, 2024.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Current »

Namespace: urn:mace:shibboleth:2.0:afp
Schema: http://shibboleth.net/schema/idp/shibboleth-afp.xsd

Overview

The AND type is one of a very few filter plugin types which can function as a PolicyRule or a Matcher. It takes its behavior from its location. If it is defined within a <PolicyRequirementRule> (either directly or as a child of other logical operations), then it acts as a PolicyRule, otherwise it acts as a Matcher.

Reference

PolicyRule Semantics

When used as a PolicyRule, the result is the logical AND of the evaluation of the child rules.

Example

The example reads "Only apply this rule when someone has logged in as jsmith and the SP is named 'https://sp.example.org'."

<PolicyRequirementRule xsi:type="AND">
   <Rule xsi:type="Requester" value="https://sp.example.org" />
   <Rule xsi:type="PrincipalName" value="jsmith" />
</PolicyRequirementRule>

Matcher Semantics

When used as a Matcher, the allow or deny set result is the intersection of all sets resulting from the child rules (that is, it is the set of items which is common to the results of all child rules).

Example

The example reads "Only release those values for the attribuite 'uid' which match both the regular expressions (starting with jsmi and end with th)."

<AttributeRule attributeID="uid">
  <PermitValueRule xsi:type="AND">
     <Rule xsi:type="ValueRegex" regex="^jsmit.*$" />
     <Rule xsi:type="ValueRegex" regex="^.*th$" />
  </PermitValueRule>
</AttributeRule>


  • No labels