The InEntityGroup type is a PolicyRule that returns true if the Name of any of the surrounding <EntitiesDescriptor> metadata of the requester matches the supplied parameter.

As of V3.4, this is extended to include a matching <AffiliationDescriptor> membership.

Membership in a InEntityGroup is rarely an effective way of making policy decisions. In general, base your attribute release policy on the characteristics of entity metadata only: SP entityID, entity attributes, and registration info. Avoid policy based on the characteristics of the aggregate itself. If you do rely on groups, use the <AffiliationDescriptor> mechanism, supported in V3.4 and up.

Schema Type and Location

The InEntityGroup  type is defined in the urn:mace:shibboleth:2.0:afp namespace, the schema for which can be located at

The deprecated saml:InEntityGroup type is defined in the urn:mace:shibboleth:2.0:afp:mf:saml namespace, the schema for which can be located at



groupID                   StringY
The<EntitiesDescriptor> Name to match against (or in V3.4+, a matching <AffiliationDescriptor>)
checkAffiliations 3.4Boolean
falseWhether to check metadata for <AffiliationDescriptor>-based matches

Child Elements



Apply this rule if the entity for the SP is included in an <EntitiesDescriptor> or <AffiliationDescriptor> named

<PolicyRequirementRule xsi:type="InEntityGroup" groupID="" checkAffiliatons="true"/>