Writing an Attribute Release Rule

An attribute release rule specify which values for which attributes are released to which service providers. A collection of attribute release rules are referred to an attribute release policy.

Attribute release rules are specified in the arp.site.xml file.

Writting the Rule

  1. Create a Rule element
  2. Optionally create a Description element, child of the Rule element, whose content is a description of this rule.
  3. Create a Target element, child of the Rule element whose content.
  4. If you want to the rule to apply to any service provider create an AnyTarget element, child of the Target element.
  5. If you want the rule to apply to a specific service provider(s) create a Requester element with the following attribute and whose content is the string to match:
  6. Create an Attribute element, child of the Rule element, with the following attribute:
  7. If you want to all attribute values to be released to the service providers this rule applies to create an AnyValue element, child of the Attribute element
  8. If you want to restrict the values released to the service providers this rule applies to create a Value element, child of the Attribute element with the following attribute and whose content is the string to match:

The Rule element must contain exactly one Target element, followed by 0-to-many Attribute elements, followed by 0-to-many AttributeReference elements. Note the ordering:  the Target element must apprear before the Attribute elements.  More than one Requestor element may appear in a Target element. More than one Value element may appear within an Attribute element.

Match Functions

Match functions determine if a given service provider ID or attribute value match a given criteria. The following match functions ship with Shibboleth.

Example Configuration

This rule releases any value of the eduPersonAffiliation attribute to any service provider

<Rule>
	<Description>eduPersonAffiliation release to anyone</Description>
	<Target>
		<AnyTarget/>
	</Target>

	<Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation">
		<AnyValue release="permit"/>
	</Attribute>
</Rule>

This rule releases most group values, but not administrative ones, to service providers from Brown University

<Rule>
	<Description>Non-adminstrative groups released to Brown</Description>
	<Target>
		<Requester matchFunction="urn:mace:shibboleth:arp:matchFunction:regexMatch">
			  .*\.brown\.edu.*
		 </Requester>
	 </Target>

	<Attribute name="memberOf">
		<Value release="deny" matchFunction="urn:mace:shibboleth:arp:matchFunction:regexMatch">
			 ^urn:mace:example.org:group:admin:.*
		 </Value>
	</Attribute>
</Rule>

Advanced Feature: ARP Constraints