The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.

EntityAttributeExactMatchConfiguration

Owned by Rod Widdowson
Last updated: Nov 08, 2017 by Scott Cantor
1 min read

Overview

The EntityAttributeExactMatch type is a PolicyRule that returns true if the SAML metadata for the requester contains <mdattr:EntityAttribute> extension data matching the supplied parameterization.

The values do not undergo any attribute mapping, which is to say applying the inverse of the SAML Attribute Encoding defined in the attribute-resolver.xml file. It therefore operates in terms of the SAML Attribute content in the metadata directly.

This is a PolicyRule that consults EntityAttribute extension "tags" in the metadata for an SP.

For a Matcher that consults <md:RequestedAttribute> metadata, use the AttributeInMetadata plugin type.

Schema Name

The EntityAttributeExactMatch type is defined in the urn:mace:shibboleth:2.0:afp namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd

The deprecated saml:EntityAttributeExactMatch type is defined in the urn:mace:shibboleth:2.0:afp:mf:saml namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-saml.xsd

Attributes

NameTypeRequired?Description
attributeName
StringY

The SAML Attribute Name to match against

attributeValue
StringYThe string value to match against
attributeNameFormat
String (URI)
The SAML Attribute NameFormat to test against (if not specified, then matching is solely based on the Name)

Child Elements

None

Example

<PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
	attributeName="urn:mace:example.org:policy" attributeValue="urn:mace:example.org:policy:ABCD1234" />
The above policy would match the tags in the metadata below:


[...]
<Extensions>
    <mdattr:EntityAttributes>
        <saml:Attribute Name="urn:mace:example.org:policy">
            <saml:AttributeValue>urn:mace:example.org:policy:ABCD</saml:AttributeValue>
            <saml:AttributeValue>urn:mace:example.org:policy:ABCD1234</saml:AttributeValue>
        </saml:Attribute>
        <saml:Attribute Name="urn:mace:example.org:entitlements"
				NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
            <saml:AttributeValue>urn:mace:example.org:entitlements:ABCD</saml:AttributeValue>
            <saml:AttributeValue>urn:mace:example.org:entitlements:1234</saml:AttributeValue>
        </saml:Attribute>
    </mdattr:EntityAttributes>
</Extensions>
[...]