This feature requires V4.2 and above. |
Namespace: urn:mace:shibboleth:2.0:afp
Schema: http://shibboleth.net/schema/idp/shibboleth-afp.xsd
The ProxiedRequesterEntityAttributeExactMatch
type is a PolicyRule that returns true if the SAML metadata for a proxied requester contains <mdattr:EntityAttribute> extension data matching the supplied parameterization.
Specifying the attributeNameFormat
attribute in the rule will constrain the rule to match only against the underlying XML representation of the extension data. Omitting it will permit the rule to match against the data mapped from the XML via the AttributeRegistryConfiguration, which increases efficiency.
The notion of a “proxied requester” varies by profile/protocol/use case, and generally does not involve metadata. This rule can be applied in cases where metadata may be available (and is actually being accessed).
Name | Type | Required? | Default | Description |
---|---|---|---|---|
attributeName | String | Y | The SAML Attribute | |
attributeValue | String | Y | The string value to match against | |
attributeNameFormat | URI | The SAML Attribute | ||
ignoreUnmappedEntityAttributes | Boolean | false | When true, this constrains the rule to ignore the underlying XML and match solely against the data mapped via the AttributeRegistryConfiguration |
The above policy would match the tags in the metadata below:
<PolicyRequirementRule xsi:type="ProxiedRequesterEntityAttributeExactMatch" attributeName="urn:mace:example.org:policy" attributeValue="urn:mace:example.org:policy:ABCD1234" /> |
[...] <Extensions> <mdattr:EntityAttributes> <saml:Attribute Name="urn:mace:example.org:policy"> <saml:AttributeValue>urn:mace:example.org:policy:ABCD</saml:AttributeValue> <saml:AttributeValue>urn:mace:example.org:policy:ABCD1234</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="urn:mace:example.org:entitlements" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue>urn:mace:example.org:entitlements:ABCD</saml:AttributeValue> <saml:AttributeValue>urn:mace:example.org:entitlements:1234</saml:AttributeValue> </saml:Attribute> </mdattr:EntityAttributes> </Extensions> [...] |