/
AttributeFilterPolicyConfiguration

The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.

AttributeFilterPolicyConfiguration

Nov 03, 2017

Overview

An <AttributeFilterPolicy> element describes one set of filtering behaviors.  Informally it consists of two parts:

  1. The <PolicyRequirementRule> which describes when the rule should be applied.

  2. A series of <AttributeRule> elements which describe what the rule does.

In each of these elements, what happens is defined by the xsi:type of the element; that is, the elements are plug-in points and the type indicates what plugin is used.

Reference

Schema Name

Elements and types described in this page and its children are defined by the urn:mace:shibboleth:2.0:afp namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd

In addition, IdP versions prior to 3.2.0 used the following schemas:

Use of these additional namespaces remains supported in newer versions, but is not required or advised in newer deployments, and they will be removed from V4.0. Plugin types defined in these two namespaces have corresponding types with the same, or a truncated version of, the name. The tables of legacy to current name mappings are given here.

Attributes

None.

Child Elements

Name

Cardinality

Description

Name

Cardinality

Description

<PolicyRequirementRule>

1

Describes the conditions under which the rule applies to a request

<AttributeRule>

1 or more

Describes the precise rules to apply if the PolicyRequirementRule applies

Common Rule Types

As described elsewhere, both <PolicyRequirementRule> and <AttributeRule> elements can leverage any supported plugin type, although it is more usual for the <PolicyRequirementRule> to be a PolicyRule plugin and for an <AttributeRule> to be a Matcher plugin (these terms are defined here).

The list below gives the V3.2+ type name (the point at which the additional namespace complexity was removed). For the older (and V2-compatible) type name, consult the AttributeFilterLegacyNameSpaceMapping information.

RuleType

PolicyRule or Matcher

Function

RuleType

PolicyRule or Matcher

Function


ANY

PolicyRule

Logically TRUE

Matcher

Set Unity


AND

PolicyRule

Logical AND

Matcher 

Set Intersection


OR

PolicyRule

Logical OR

Matcher 

Set Union


NOT

PolicyRule

Logical NOT

Matcher

Set Inversion

Predicate

PolicyRule

Call an externally-defined predicate

Requester

PolicyRule

Compare the attribute recipient's name (typically an SP's entityID) to a string

ProxiedRequester 3.4

PolicyRule

Compare a proxied attribute recipient's name (typically an SP's entityID) to a string

Issuer 3.4

PolicyRule

Compare the attribute issuer's name (typically the IdP's entityID) to a string

PrincipalName

PolicyRule

Compare the principal name to a string

AuthenticationMethod

PolicyRule

Compare the authentication method to a string


Value

Matcher, or PolicyRule if attributeID specified 

Compare attribute values to a string

Scope

Matcher, or PolicyRule if attributeID specified

Compare the scope of a Scoped attribute value to a string

RequesterRegex

PolicyRule

Match the attribute recipient's name (typically an SP's entityID) to a regular expression

ProxiedRequesterRegex 3.4

PolicyRule

Match a proxied attribute recipient's name (typically an SP's entityID) to a regular expression

IssuerRegex 3.4

PolicyRule

Match the attribute issuer's name (typically the IdP's entityID) to a regular expression

PrincipalNameRegex

PolicyRule

Match the principal name to a regular expression

AuthenticationMethodRegex

PolicyRule

Match the authentication method to a regular expression

ValueRegex

Matcher, or PolicyRule if attributeID specified

Match attribute values to a regular expression

ScopeRegex

Matcher, or PolicyRule if attributeID specified

Match the scopes of scoped attribute values to a regular expression

Script

Both

Use a Java scripting language to implement a custom PolicyRule or Matcher

NumberOfAttributeValues

PolicyRule

Count the number of values for the specified Attribute

EntityAttributeExactMatch

PolicyRule

Exact match against <mdattr:EntityAttributes> extension attributes ("tags") found in an attribute recipient's SAML metadata

EntityAttributeRegexMatch

PolicyRule

Regular expression match against <mdattr:EntityAttributes> extension attributes ("tags") found in an attribute recipient's SAML metadata

NameIDFormatExactMatch

PolicyRule

Compare against <NameIDFormat> element's inside the attribute recipient's SAML metadata

InEntityGroup

PolicyRule

Check the attribute recipient's SAML metadata for a matching <EntitiesDescriptor>

AttributeScopeMatchesShibMDScope
AttributeValueMatchesShibMDScope
AttributeIssuerRegistrationAuthority

 

Not implemented

RegistrationAuthority

PolicyRule

Match against the <rpi:RegistrationInfo> extension in an attribute recipient's SAML metadata

AttributeInMetadata

Matcher

Match attribute values against <RequestedAttribute> elements associated with an <AttributeConsumingService> in an attribute recipient's SAML metadata, using just in time conversion

MappedAttributeInMetadata

Matcher

Match attribute values against <RequestedAttribute> elements associated with an <AttributeConsumingService> in an attribute recipient's SAML metadata, after having applied an attribute decoding/mapping translation from SAML into internal IdPAttribute form