The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.
InEntityGroupConfiguration
- Rod Widdowson
- Scott Cantor
- Marvin Addison
Overview
The InEntityGroup type is a PolicyRule that returns true if the Name of any of the surrounding <EntitiesDescriptor> metadata of the requester matches the supplied parameter.
As of V3.4, this is extended to include a matching <AffiliationDescriptor> membership.
Membership in a InEntityGroup is rarely an effective way of making policy decisions. In general, base your attribute release policy on the characteristics of entity metadata only: SP entityID, entity attributes, and registration info. Avoid policy based on the characteristics of the aggregate itself. If you do rely on groups, use the <AffiliationDescriptor> mechanism, supported in V3.4 and up.
Schema Type and Location
The InEntityGroup type is defined in the urn:mace:shibboleth:2.0:afp namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd
The deprecated saml:InEntityGroup type is defined in the urn:mace:shibboleth:2.0:afp:mf:saml namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-saml.xsd
Reference
Attributes
| Name | Type | Req? | Default | Description |
|---|---|---|---|---|
| groupID | String | Y | The<EntitiesDescriptor> Name to match against (or in V3.4+, a matching <AffiliationDescriptor>) | |
| checkAffiliations 3.4 | Boolean | false | Whether to check metadata for <AffiliationDescriptor>-based matches |
Child Elements
None
Example
Apply this rule if the entity for the SP is included in an <EntitiesDescriptor> or <AffiliationDescriptor> named urn:mace:example.org
<PolicyRequirementRule xsi:type="InEntityGroup" groupID="urn:mace:example.org" checkAffiliatons="true"/>