Writing an Attribute Release Rule
An attribute release rule specify which values for which attributes are released to which service providers. A collection of attribute release rules are referred to an attribute release policy.
Attribute release rules are specified in the arp.site.xml
file.
Writting the Rule
- Create a Rule element
- Optionally create a Description element, child of the Rule element, whose content is a description of this rule.
- Create a Target element, child of the Rule element whose content.
- If you want to the rule to apply to any service provider create an AnyTarget element, child of the Target element.
- If you want the rule to apply to a specific service provider(s) create a Requester element with the following attribute and whose content is the string to match:
- matchFunction - contains the URI identifier of the function used to evaluate if the content of the Requester element matches the service provider entity ID requesting attributes
- Create an Attribute element, child of the Rule element, with the following attribute:
- name - the name of the attribute this rule applies to, this must match the value of the id attribute on the attribute's definition in the
resolver.xml
configuration file
- If you want to all attribute values to be released to the service providers this rule applies to create an AnyValue element, child of the Attribute element
- If you want to restrict the values released to the service providers this rule applies to create a Value element, child of the Attribute element with the following attribute and whose content is the string to match:
- matchFunction - contains the URI identifier of the function used to evaluate if the content of the Value element matches the possible value(s) of the attribute
- release - whether to permit the release of the attributes that match this rule or deny them; permissible values "permit" and "deny"
The Rule element must contain exactly one Target element, followed by 0-to-many Attribute elements, followed by 0-to-many AttributeReference elements. Note the ordering: the Target element must apprear before the Attribute elements. More than one Requestor element may appear in a Target element. More than one Value element may appear within an Attribute element.
Match Functions
Match functions determine if a given service provider ID or attribute value match a given criteria. The following match functions ship with Shibboleth.
- urn:mace:shibboleth:arp:matchFunction:stringMatch - checks if a service provider ID or attribute value exactly matches the given criteria
- urn:mace:shibboleth:arp:matchFunction:stringNotMatch - checks if a service provider ID or attribute value does not exactly matches the given criteria
- urn:mace:shibboleth:arp:matchFunction:regexMatch - evaluates a regular expression and indicates a match if the regular expression matches the provider ID or attribute value
- urn:mace:shibboleth:arp:matchFunction:regexNotMatch - evaluates a regular expression and indicates a match if the regular expression does not match the provider ID or attribute value
- urn:mace:shibboleth:arp:matchFunction:anyValueMatch - matches any non-null string
Example Configuration
This rule releases any value of the eduPersonAffiliation attribute to any service provider
<Rule>
<Description>eduPersonAffiliation release to anyone</Description>
<Target>
<AnyTarget/>
</Target>
<Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation">
<AnyValue release="permit"/>
</Attribute>
</Rule>
|
This rule releases most group values, but not administrative ones, to service providers from Brown University
<Rule>
<Description>Non-adminstrative groups released to Brown</Description>
<Target>
<Requester matchFunction="urn:mace:shibboleth:arp:matchFunction:regexMatch">
.*\.brown\.edu.*
</Requester>
</Target>
<Attribute name="memberOf">
<Value release="deny" matchFunction="urn:mace:shibboleth:arp:matchFunction:regexMatch">
^urn:mace:example.org:group:admin:.*
</Value>
</Attribute>
</Rule>
|
Advanced Feature: ARP Constraints