The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.
AttributeFilterPolicyConfiguration
- Rod Widdowson
- Scott Cantor
- John C. Pfeifer
Overview
An <AttributeFilterPolicy> element describes one set of filtering behaviors. Informally it consists of two parts:
- The
<PolicyRequirementRule>which describes when the rule should be applied. - A series of
<AttributeRule>elements which describe what the rule does.
In each of these elements, what happens is defined by the xsi:type of the element; that is, the elements are plug-in points and the type indicates what plugin is used.
Reference
Schema Name
Elements and types described in this page and its children are defined by the urn:mace:shibboleth:2.0:afp namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd
In addition, IdP versions prior to 3.2.0 used the following schemas:
- The
urn:mace:shibboleth:2.0:afp:mf:basicnamespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-basic.xsd - The
urn:mace:shibboleth:2.0:afp:mf:samlnamespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-saml.xsd
Use of these additional namespaces remains supported in newer versions, but is not required or advised in newer deployments, and they will be removed from V4.0. Plugin types defined in these two namespaces have corresponding types with the same, or a truncated version of, the name. The tables of legacy to current name mappings are given here.
Attributes
None.
Child Elements
| Name | Cardinality | Description |
|---|---|---|
| 1 | Describes the conditions under which the rule applies to a request |
| 1 or more | Describes the precise rules to apply if the PolicyRequirementRule applies |
Common Rule Types
As described elsewhere, both <PolicyRequirementRule> and <AttributeRule> elements can leverage any supported plugin type, although it is more usual for the <PolicyRequirementRule> to be a PolicyRule plugin and for an <AttributeRule> to be a Matcher plugin (these terms are defined here).
The list below gives the V3.2+ type name (the point at which the additional namespace complexity was removed). For the older (and V2-compatible) type name, consult the AttributeFilterLegacyNameSpaceMapping information.
| RuleType | PolicyRule or Matcher | Function |
|---|---|---|
| PolicyRule | Logically TRUE |
| Matcher | Set Unity | |
| PolicyRule | Logical AND |
| Matcher | Set Intersection | |
OR | PolicyRule | Logical OR |
| Matcher | Set Union | |
| PolicyRule | Logical NOT |
| Matcher | Set Inversion | |
Predicate | PolicyRule | Call an externally-defined predicate |
| PolicyRule | Compare the attribute recipient's name (typically an SP's entityID) to a string |
| PolicyRule | Compare a proxied attribute recipient's name (typically an SP's entityID) to a string |
| PolicyRule | Compare the attribute issuer's name (typically the IdP's entityID) to a string |
| PolicyRule | Compare the principal name to a string |
AuthenticationMethod | PolicyRule | Compare the authentication method to a string |
Value | Matcher, or PolicyRule if | Compare attribute values to a string |
| Matcher, or PolicyRule if attributeID specified | Compare the scope of a Scoped attribute value to a string |
| PolicyRule | Match the attribute recipient's name (typically an SP's entityID) to a regular expression |
| PolicyRule | Match a proxied attribute recipient's name (typically an SP's entityID) to a regular expression |
| PolicyRule | Match the attribute issuer's name (typically the IdP's entityID) to a regular expression |
| PolicyRule | Match the principal name to a regular expression |
| PolicyRule | Match the authentication method to a regular expression |
| Matcher, or PolicyRule if attributeID specified | Match attribute values to a regular expression |
| Matcher, or PolicyRule if attributeID specified | Match the scopes of scoped attribute values to a regular expression |
| Both | Use a Java scripting language to implement a custom PolicyRule or Matcher |
| PolicyRule | Count the number of values for the specified Attribute |
| PolicyRule | Exact match against <mdattr:EntityAttributes> extension attributes ("tags") found in an attribute recipient's SAML metadata |
| PolicyRule | Regular expression match against <mdattr:EntityAttributes> extension attributes ("tags") found in an attribute recipient's SAML metadata |
| PolicyRule | Compare against |
| PolicyRule | Check the attribute recipient's SAML metadata for a matching <EntitiesDescriptor> |
AttributeValueMatchesShibMDScope AttributeIssuerRegistrationAuthority | Not implemented | |
| PolicyRule | Match against the <rpi:RegistrationInfo> extension in an attribute recipient's SAML metadata |
| Matcher | Match attribute values against <RequestedAttribute> elements associated with an <AttributeConsumingService> in an attribute recipient's SAML metadata, using just in time conversion |
| Matcher | Match attribute values against <RequestedAttribute> elements associated with an <AttributeConsumingService> in an attribute recipient's SAML metadata, after having applied an attribute decoding/mapping translation from SAML into internal IdPAttribute form |