Overview

The InEntityGroup type is a PolicyRule that returns true if the Name of any of the surrounding <EntitiesDescriptor> metadata of the requester matches the supplied parameter.

As of V3.4, this is extended to include a matching <AffiliationDescriptor> membership.

Membership in a InEntityGroup is rarely an effective way of making policy decisions. In general, base your attribute release policy on the characteristics of entity metadata only: SP entityID, entity attributes, and registration info. Avoid policy based on the characteristics of the aggregate itself. If you do rely on groups, use the <AffiliationDescriptor> mechanism, supported in V3.4 and up.

Schema Type and Location

The InEntityGroup type is defined in the urn:mace:shibboleth:2.0:afp namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd

The deprecated saml:InEntityGroup type is defined in the urn:mace:shibboleth:2.0:afp:mf:saml namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-saml.xsd

Reference

Attributes

Name	Type	Req?	Default	Description
groupID	String	Y		`The<EntitiesDescriptor>` Name to match against (or in V3.4+, a matching `<AffiliationDescriptor>`)
checkAffiliations ^3.4	Boolean		false	Whether to check metadata for `<AffiliationDescriptor>`-based matches

Child Elements

None

Example

Apply this rule if the entity for the SP is included in an <EntitiesDescriptor> or <AffiliationDescriptor> named urn:mace:example.org

<PolicyRequirementRule xsi:type="InEntityGroup" groupID="urn:mace:example.org" checkAffiliatons="true"/>