The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.

ORConfiguration

Owned by Rod Widdowson
Last updated: Nov 03, 2017 by Scott Cantor
2 min read

Overview

The OR type (basic:OR prior to V3.2.0) is one of a very few filter plugin types which can function as a PolicyRule or a Matcher. It takes its behavior from its location. If it is defined within a <PolicyRequirementRule> (either directly or as a child of other logical operations), then it acts as a PolicyRule, otherwise it acts as a Matcher.

Schema Type and Location

The OR type is defined in the urn:mace:shibboleth:2.0:afp namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd

The deprecated basic:OR type is defined within the urn:mace:shibboleth:2.0:afp:mf:basic namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-basic.xsd

Reference

Attributes

None

Child Elements

At least one <Rule> element must be present (these are interpreted as either <PolicyRequirementRule> or <PermitValueRule>/<DenyValueRule> based on the context).

If the deprecated basic:OR form is used, then at least two <basic:Rule> child elements must be present.

PolicyRule Semantics

When used as a PolicyRule, the result is the logical OR of the evaluation of the child rules.

Example

The example means that the rule is applied if:

  • The principal is jsmith or
  • The SP is named https://sp.example.org or
  • The SP is named https://sp2.example.org
<PolicyRequirementRule xsi:type="OR">
   <Rule xsi:type="Requester" value="https://sp.example.org" />
   <Rule xsi:type="Requester" value="https://sp2.example.org" />
   <Rule xsi:type="PrincipalName" value="jsmith" />
</PolicyRequirementRule>

Matcher Semantics

When used as a Matcher, the allow or deny set result is the union of all sets resulting from the child rules (that is, it is the set of items in the results of any of the child rules).

Example

The example reads "Release those values for the attribuite 'uid' which match either of the regular expressions (starting with jsmi or ending with th)."

<AttributeRule attributeID="uid">
  <PermitValueRule xsi:type="OR">
     <Rule xsi:type="ValueRegex" regex="^jsmit.*$" />
     <Rule xsi:type="ValueRegex" regex="^.*th$" />
  </PermitValueRule>
</AttributeRule>