The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.
NOTConfiguration
Overview
The NOT
type (basic:NOT
prior to V3.2) is one of a very few filter plugin types which can function as a PolicyRule or a Matcher. It takes its behavior from its location. If it is defined within a <PolicyRequirementRule>
(either directly or as a child of other logical operations), then it acts as a PolicyRule, otherwise it acts as a Matcher.
Schema Type and Location
The NOT
type is defined in the urn:mace:shibboleth:2.0:afp
namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd
The deprecated basic:NOT
type is defined in the urn:mace:shibboleth:2.0:afp:mf:basic
namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-basic.xsd
Reference
Attributes
None
Child Elements
Exactly one <Rule>
element must be present (interpreted as either <PolicyRequirementRule>
or <PermitValueRule>
/<DenyValueRule>
based on the context).
If the deprecated basic:NOT
form is used, then exactly one <basic:Rule>
child element must be present.
PolicyRule Semantics
When used as a PolicyRule, the result is the logical negation of the evaluation of the child rule.
Example
The example reads "Apply this rule if the SP is not named https://sp.example.org".
<PolicyRequirementRule xsi:type="NOT"> <basic:Rule xsi:type="Requester" value="https://sp.example.org" /> </PolicyRequirementRule>
Matcher Semantics
When used as a Matcher, the allow or deny set result is the inverse of the sets of values returned by the child rule; that is, every value which is in the IdPAttribute which was not in the set resulting from the child rule.
Example
The example reads "Release all values for the attribute 'eduPersonEntitlement' except (if present) 'urn:mace:dir:entitlement:common-lib-terms'".
<AttributeRule attributeID="eduPersonEntitlement"> <PermitValueRule xsi:type="NOT"> <Rule xsi:type="Value" value="urn:mace:dir:entitlement:common-lib-terms" /> </PermitValueRule> </AttributeRule>