The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.
ScopeConfiguration
- Rod Widdowson
- Scott Cantor
- Thomas Lenggenhager
Overview
The Scope (basic:AttributeScopeString prior to V3.2) type compares the scope portion of scoped attributes values against the supplied string. Â
Confusingly, the Scope type can be a Matcher or a PolicyRequirement.
- If no
attributeIDattribute is specified then it is a Matcher (returning that value if it is present amongst the values' scopes, and the empty set otherwise) - If anÂ
attributeIDÂ attribute is specified then it is a PolicyRule (returning true if that that is present amongst the values' scopes for the specified attribute).
Schema Name
The Scope type is defined in the urn:mace:shibboleth:2.0:afp namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd
The deprecated basic:AttributeScopeString type is defined in the urn:mace:shibboleth:2.0:afp:mf:basic namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-basic.xsd
Attributes
Three attributes may be specified
| Name | Type | Default | Description |
|---|---|---|---|
attributeID | String | none | If this is present, then this is a PolicyRule returning true if the matching attribute contains a value with the supplied scope. If this is not present, then this is a Matcher returning that value if it is present amongst the values, and the empty set otherwise. |
value | String | required | The value to match against |
ignoreCase | Boolean | true | Whether the matching is case insensitive |
Child Elements
None
Examples
<PolicyRequirementRule xsi:type="Scope" value="university.edu" attributeID="epsa"/>
Apply this rule if the attribute "epsa" contains a value with scope "university.edu"Â
<AttributeRule attributeID="epsa"> <PermitValueRule xsi:type="Scope" value="university.edu" ignoreCase="true" /> </AttributeRule>
If any scoped value of the attribute "epsa" has the scope "university.edu" then add it to the permitted values to be release for "uid"
<PolicyRequirementRule xsi:type="Scope" value="university.edu"/>
Apply this rule if any attribute contains a scoped value with scope "university.edu".
<AttributeRule attributeID="email"> <PermitValueRule xsi:type="basic:Scope" value="university.edu" attributeID="epsa"/> </AttributeRule>
If the attribute "epsa" contains a scoped value with scope "university.edu" then release all values of "email" .