An attribute filter policy describes which attributes are sent to a service provider. The default attribute filter policy file is IdP_HOME/conf/attribute-filter.xml.
An attribute filter policy is defined by the element <AttributeFilterPolicy>
with the following attribute:
<AttributeFilterPolicy id="releaseToAnyone"> <!-- Policy Requirement Rule would go here --> <!-- Attribute Rules would go here --> </AttributeFilterPolicy> |
Each attribute filter policy must contain one and only one policy requirement rule. This rule determines if the given attribute filter policy is active for a given request. If the policy requirement rule evaluates to true than the policy is active; if it evaluates to false the policy is not active.
A policy requirement rule is defined with the element <PolicyRequirementRule xsi:type="MATCHING_RULE_TYPE">
. The matching rule type may be any matching rule type.
<AttributeFilterPolicy id="releaseToAnyone"> <PolicyRequirementRule xsi:type="basic:ANY" /> <!-- Attribute Rules would go here --> </AttributeFilterPolicy> |
Each attribute filter policy contains zero or more attribute rules. If an attribute filter policy is active, then the set of attribute rules determines which attributes the policy affects.
An attribute rule is defined with the element <AttributeRule>
with the following required attribute:
<AttributeFilterPolicy id="releaseToAnyone"> <PolicyRequirementRule xsi:type="basic:ANY" /> <AttributeRule attributeID="transientId"> <!-- Permit/Deny Rules go here --> </AttributeRule> <AttributeRule attributeID="eduPersonAffiliation"> <!-- Permit/Deny Rules go here --> </AttributeRule> </AttributeFilterPolicy> |
Each attribute rule contains one and only one value rule. A permit value rule specifies which attribute values are permitted to be released. A deny value rule specifies which attribute values are not permitted to be released. A value is released if and only if it has been permitted and has not been denied. That is, a deny always takes precedence over a permit.
A permit value rule is defined with the element <PermitValueRule xsi:type="MATCHING_RULE_TYPE">
. The matching rule type may be any matching rule type.
A deny value rule is defined with the element <DenyValueRule xsi:type="MATCHING_RULE_TYPE">
. The matching rule type may be any matching rule type.
<AttributeFilterPolicy id="releaseToAnyone"> <PolicyRequirementRule xsi:type="basic:ANY" /> <AttributeRule attributeID="transientId"> <PermitValueRule xsi:type="basic:ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonAffiliation"> <PermitValueRule xsi:type="basic:OR"> <basic:Rule xsi:type="basic:AttributeValueString" value="faculty" ignoreCase="true"/> <basic:Rule xsi:type="basic:AttributeValueString" value="student" ignoreCase="true"/> <basic:Rule xsi:type="basic:AttributeValueString" value="staff" ignoreCase="true"/> <basic:Rule xsi:type="basic:AttributeValueString" value="alum" ignoreCase="true"/> <basic:Rule xsi:type="basic:AttributeValueString" value="member" ignoreCase="true"/> <basic:Rule xsi:type="basic:AttributeValueString" value="affiliate" ignoreCase="true"/> <basic:Rule xsi:type="basic:AttributeValueString" value="employee" ignoreCase="true"/> <basic:Rule xsi:type="basic:AttributeValueString" value="library-walk-in" ignoreCase="true"/> </PermitValueRule> </AttributeRule> </AttributeFilterPolicy> |
The following matching rules are supported in a standard Shibboleth IdP installation and usable as the type for <PolicyRequirementRule>
, <PermitValueRule>
, and <DenyValueRule>
elements .
Some installations may wish to define attribute filter policies in multiple files, for administrative and maintenance purposes. The IdP is capable of loading multiple policy files. To enable this, within the IDP_HOME/conf/service.xml file, locate the service AttributeFilterEngine
. Add one additional <ConfigurationResource>
element, with an appropriate resource type for each additional file you wish the IdP to load.
Each filter policy group must have a unique ID. If you create a copy of an existing filter file, as the seed for your new file, be sure to change the |
<Service id="shibboleth.AttributeFilterEngine" xmlns="urn:mace:shibboleth:2.0:services" xsi:type="afp:ShibbolethAttributeFilteringEngine"> <ConfigurationResource file="/opt/shibboleth-idp/conf/attribute-filter.xml" xsi:type="resource:FilesystemResource" /> <ConfigurationResource file="/opt/shibboleth-idp/conf/group-attribute-filter.xml" xsi:type="resource:FilesystemResource" /> <ConfigurationResource file="/opt/shibboleth-idp/conf/user-attribute-filter.xml" xsi:type="resource:FilesystemResource" /> </Service> |
Additional examples are also available. These provide more complete examples and are contributed by users of the software.
Releases the controlled values for eduPersonAffiliation to anyone. | |
Releases email address to a specific service provider | |
Denies the release of personal information if FERPA suppression is enabled. |