The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.

ScopeRegexConfiguration

Owned by Rod Widdowson
Last updated: Nov 03, 2017 by Scott Cantor

Overview

The ScopeRegex (basic:AttributeScopeRegex prior to V3.2) type matches attributes values against the supplied Java Regular Expression.

Confusingly, the ScopeRegex type can be a Matcher or a PolicyRequirement.

  • If no attributeID attribute is specified then it is a Matcher (returning that value if it is present amongst the values, and the empty set otherwise)
  • If an attributeID attribute is specified then it is a PolicyRule (returning true if that that is present amongst the values for the specified attribute).

Schema Name

The ScopeRegex type is defined in the urn:mace:shibboleth:2.0:afp namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd

The deprecated basic:AttributeScopeRegex type was defined in the urn:mace:shibboleth:shibboleth:2.0:afp:basic namespace, the schema for which can be found at http://shibboleth.net/schema/idp/shibboleth-afp-mf-basic.xsd

Attributes

Three attributes may be specified

NameTypeDefaultDescription
attributeID StringnoneIf this is present, then this is a PolicyRule returning true if the corresponding attribute exists and contains a value that matches.
If this is not present, then this is a Matcher returning any value that matches, and the empty set otherwise.
regexPatternrequiredThe regular expression to match against

Child Elements

None

Examples

Simple Profile Policy
<afp:PolicyRequirementRule xsi:type="AttributeScopeRegex" regex="^.*\.edu$" attributeID="EPSA"/>

Apply this rule if the attribute "EPSA" contains at least one scope value whose scope ends .edu.

Simple Matcher
<AttributeRule attributeID="uid">
   <PermitValueRule xsi:type="ScopeRegex" regex="^.*\.edu$" />
</AttributeRule>

Add any scoped values of the attribute "uid" with scope ending ".edu" to its permitted values list.

Compound PolicyRule (deprecated)
<afp:PolicyRequirementRule xsi:type="AttributeScopeRegex" regex="^.*\.edu$"/>

Apply this rule if any attribute contains a scope value whose scope ends .edu

Compound Matcher (deprecated)
<AttributeRule attributeID="email">
   <PermitValueRule xsi:type="ScopeRegex" regex="^.*\.edu$" attributeID="EPSA"/>
</AttributeRule>

If the attribute "epsa" contains any scoped which starts ends .edu then release all values of "email" .