Overview

An <AttributeRule> defines a filter operation to be applied to the values of one specific attribute.

Each rule is either a permit rule, in which case the filtered values are added to the permit list, or a deny rule, in which case the filtered attributes are added to the deny list (see here).

Schema Name and Location

The element itself is defined within the urn:mace:shibboleth:2.0:afp namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd

The actual plugin types used are defined in namespaces specific to those types (though in practice they are now defined within the same namespace, or a pair of legacy namespaces in older versions, as described throughout this documentation).

Reference

Attributes

Name Type Description

attributeID String This required attributes specifies the IdPAttribute name (as defined by an <AttributeDefinition> plugin in the AttributeResolverConfiguration). Note, this is the internal name of the IdPAttribute "private" to the IdP and not anything to do with the name of a formalized SAML Attribute.

permitAny

Boolean

If this is present and set to "true", then there no child elements used, and is shorthand for:

<AttributeRule attributeID="...">
   <PermitValueRule xsi:type="ANY" />
</AttributeRule>

Child Elements

Name	Cardinality	Description
`<PermitValueRule>` or `<DenyValueRule>`	1	The permit or deny rule to apply to the specified attribute's values.

The child element must have a plugin xsi:type specified, usually one of the Common Types, generally a Matcher. If a PolicyRule plugin is used, then it will be converted as described here.

Examples

<AttributeRule attributeID="eduPersonScopedAffiliation">
    <PermitValueRule xsi:type="Value" value="student" ignoreCase="true" />
</AttributeRule>

Browser not supported