Overview

The NOT type (basic:NOT prior to V3.2) is one of a very few filter plugin types which can function as a PolicyRule or a Matcher. It takes its behavior from its location. If it is defined within a <PolicyRequirementRule> (either directly or as a child of other logical operations), then it acts as a PolicyRule, otherwise it acts as a Matcher.

Schema Type and Location

The NOT type is defined in the urn:mace:shibboleth:2.0:afp namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd

The deprecated basic:NOT type is defined in the urn:mace:shibboleth:2.0:afp:mf:basic namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-basic.xsd

Reference

Attributes

None

Child Elements

Exactly one <Rule> element must be present (interpreted as either <PolicyRequirementRule> or <PermitValueRule>/<DenyValueRule> based on the context).

If the deprecated basic:NOT form is used, then exactly one <basic:Rule> child element must be present.

PolicyRule Semantics

When used as a PolicyRule, the result is the logical negation of the evaluation of the child rule.

Example

The example reads "Apply this rule if the SP is not named https://sp.example.org".

<PolicyRequirementRule xsi:type="NOT">
   <basic:Rule xsi:type="Requester" value="https://sp.example.org" />
</PolicyRequirementRule>

Matcher Semantics

When used as a Matcher, the allow or deny set result is the inverse of the sets of values returned by the child rule; that is, every value which is in the IdPAttribute which was not in the set resulting from the child rule.

Example

The example reads "Release all values for the attribute 'eduPersonEntitlement' except (if present) 'urn:mace:dir:entitlement:common-lib-terms'".

<AttributeRule attributeID="eduPersonEntitlement">
  <PermitValueRule xsi:type="NOT">
     <Rule xsi:type="Value" value="urn:mace:dir:entitlement:common-lib-terms" />
  </PermitValueRule>
</AttributeRule>

Browser not supported