Overview

An <AttributeFilterPolicy> element describes one set of filtering behaviors. Informally it consists of two parts:

The <PolicyRequirementRule> which describes when the rule should be applied.
A series of <AttributeRule> elements which describe what the rule does.

In each of these elements, what happens is defined by the xsi:type of the element; that is, the elements are plug-in points and the type indicates what plugin is used.

Reference

Schema Name

Elements and types described in this page and its children are defined by the urn:mace:shibboleth:2.0:afp namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd

In addition, IdP versions prior to 3.2.0 used the following schemas:

The urn:mace:shibboleth:2.0:afp:mf:basic namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-basic.xsd
The urn:mace:shibboleth:2.0:afp:mf:saml namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-saml.xsd

Use of these additional namespaces remains supported in newer versions, but is not required or advised in newer deployments, and they will be removed from V4.0. Plugin types defined in these two namespaces have corresponding types with the same, or a truncated version of, the name. The tables of legacy to current name mappings are given here.

Attributes

None.

Child Elements

Name	Cardinality	Description
`<PolicyRequirementRule>`	1	Describes the conditions under which the rule applies to a request
`<AttributeRule>`	1 or more	Describes the precise rules to apply if the PolicyRequirementRule applies

Common Rule Types

As described elsewhere, both <PolicyRequirementRule> and <AttributeRule> elements can leverage any supported plugin type, although it is more usual for the <PolicyRequirementRule> to be a PolicyRule plugin and for an <AttributeRule> to be a Matcher plugin (these terms are defined here).

The list below gives the V3.2+ type name (the point at which the additional namespace complexity was removed). For the older (and V2-compatible) type name, consult the AttributeFilterLegacyNameSpaceMapping information.

RuleType	PolicyRule or Matcher	Function
`ANY`	PolicyRule	Logically TRUE
`ANY`	Matcher	Set Unity
`AND`	PolicyRule	Logical AND
`AND`	Matcher	Set Intersection
`OR`	PolicyRule	Logical OR
`OR`	Matcher	Set Union
`NOT`	PolicyRule	Logical NOT
`NOT`	Matcher	Set Inversion
Predicate	PolicyRule	Call an externally-defined predicate
`Requester`	PolicyRule	Compare the attribute recipient's name (typically an SP's entityID) to a string
`ProxiedRequester`^3.4	PolicyRule	Compare a proxied attribute recipient's name (typically an SP's entityID) to a string
`Issuer`^3.4	PolicyRule	Compare the attribute issuer's name (typically the IdP's entityID) to a string
`PrincipalName`	PolicyRule	Compare the principal name to a string
AuthenticationMethod	PolicyRule	Compare the authentication method to a string
`Value`	Matcher, or PolicyRule if `attributeID` specified	Compare attribute values to a string
`Scope`	Matcher, or PolicyRule if `attributeID` specified	Compare the scope of a Scoped attribute value to a string
`RequesterRegex`	PolicyRule	Match the attribute recipient's name (typically an SP's entityID) to a regular expression
`ProxiedRequesterRegex` ^3.4	PolicyRule	Match a proxied attribute recipient's name (typically an SP's entityID) to a regular expression
`IssuerRegex` ^3.4	PolicyRule	Match the attribute issuer's name (typically the IdP's entityID) to a regular expression
`PrincipalNameRegex`	PolicyRule	Match the principal name to a regular expression
`AuthenticationMethodRegex`	PolicyRule	Match the authentication method to a regular expression
`ValueRegex`	Matcher, or PolicyRule if `attributeID` specified	Match attribute values to a regular expression
`ScopeRegex`	Matcher, or PolicyRule if `attributeID` specified	Match the scopes of scoped attribute values to a regular expression
`Script`	Both	Use a Java scripting language to implement a custom PolicyRule or Matcher
`NumberOfAttributeValues`	PolicyRule	Count the number of values for the specified Attribute
`EntityAttributeExactMatch`	PolicyRule	Exact match against `<mdattr:EntityAttributes>` extension attributes ("tags") found in an attribute recipient's SAML metadata
`EntityAttributeRegexMatch`	PolicyRule	Regular expression match against `<mdattr:EntityAttributes>` extension attributes ("tags") found in an attribute recipient's SAML metadata
`NameIDFormatExactMatch`	PolicyRule	Compare against `<NameIDFormat>` element's inside the attribute recipient's SAML metadata
`InEntityGroup`	PolicyRule	Check the attribute recipient's SAML metadata for a matching `<EntitiesDescriptor>`
`AttributeScopeMatchesShibMDScope AttributeValueMatchesShibMDScope AttributeIssuerRegistrationAuthority`		Not implemented
`RegistrationAuthority`	PolicyRule	Match against the `<rpi:RegistrationInfo>` extension in an attribute recipient's SAML metadata
`AttributeInMetadata`	Matcher	Match attribute values against `<RequestedAttribute>` elements associated with an `<AttributeConsumingService>` in an attribute recipient's SAML metadata, using just in time conversion
`MappedAttributeInMetadata`	Matcher	Match attribute values against `<RequestedAttribute>` elements associated with an `<AttributeConsumingService>` in an attribute recipient's SAML metadata, after having applied an attribute decoding/mapping translation from SAML into internal IdPAttribute form

Browser not supported