The Shibboleth IdP V4 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP5 wiki space for current documentation on the supported version.

AttributeFilterPolicyConfiguration

Namespace: urn:mace:shibboleth:2.0:afp
Schema: http://shibboleth.net/schema/idp/shibboleth-afp.xsd

Overview

An <AttributeFilterPolicy> element describes one set of filtering behaviors.  It consists of two parts:

  1. The <PolicyRequirementRule> which describes when the rule should be applied.

  2. A series of <AttributeRule> elements which describe what the rule does.

In each of these elements, what happens is defined by the xsi:type of the element; that is, the elements are plug-in points and the type indicates what plugin is used.

Reference

Name

Cardinality

Description

Name

Cardinality

Description

<PolicyRequirementRule>

1

Describes the conditions under which the policy applies to a request

<AttributeRule>

1 or more

Describes the precise rules to apply if the policy applies

Rule Types

As described elsewhere, both <PolicyRequirementRule> and <AttributeRule> elements can leverage any supported plugin type, although it is more usual for the <PolicyRequirementRule> to be a PolicyRule plugin and for an <AttributeRule> to be a Matcher plugin (these terms are defined here).

RuleType

Function

RuleType

Function


ANY

PolicyRule

Logically TRUE

Matcher

Set Unity


AND

PolicyRule

Logical AND

Matcher 

Set Intersection


OR

PolicyRule

Logical OR

Matcher 

Set Union


NOT

PolicyRule

Logical NOT

Matcher

Set Inversion

Profile 4.2

PolicyRule

Compare the active profile identifier to a string

Predicate

PolicyRule

Call an externally-defined predicate

Outbound

PolicyRule

Applies iff the system is filtering attributes that are being released to an external system (i.e., an SP). This is the "traditional" use of the filtering service.

Inbound

PolicyRule

Applies iff the system is filtering attributes that have been received from an external system (i.e, another IdP).

Requester

PolicyRule

Compare the attribute recipient's name (typically an SP's entityID) to a string

ProxiedRequester

PolicyRule

Compare a proxied attribute recipient's name (typically an SP's entityID) to a string

Issuer

PolicyRule

Compare the attribute issuer's name (typically a proxied IdP's entityID) to a string

PrincipalName

PolicyRule

Compare the principal name to a string

Value

Matcher, or PolicyRule if attributeID specified 

Compare attribute values to a string

Scope

Matcher, or PolicyRule if attributeID specified

Compare the scope of a Scoped attribute value to a string

RequesterRegex

PolicyRule

Match the attribute recipient's name (typically an SP's entityID) to a regular expression

ProxiedRequesterRegex

PolicyRule

Match a proxied attribute recipient's name (typically an SP's entityID) to a regular expression

IssuerRegex

PolicyRule

Match the attribute issuer's name (typically a proxied IdP's entityID) to a regular expression

PrincipalNameRegex

PolicyRule

Match the principal name to a regular expression

ValueRegex

Matcher, or PolicyRule if attributeID specified

Match attribute values to a regular expression

ScopeRegex

Matcher, or PolicyRule if attributeID specified

Match the scopes of scoped attribute values to a regular expression

Script

Both

Use a Java scripting language to implement a custom PolicyRule or Matcher

NumberOfAttributeValues

PolicyRule

Count the number of values for the specified Attribute

EntityAttributeExactMatch

PolicyRule

Exact match against <mdattr:EntityAttributes> extension attributes ("tags") found in an attribute recipient's SAML metadata

EntityAttributeRegexMatch

PolicyRule

Regular expression match against <mdattr:EntityAttributes> extension attributes ("tags") found in an attribute recipient's SAML metadata

IssuerEntityAttributeExactMatch        

PolicyRule

Exact match against <mdattr:EntityAttributes> extension attributes ("tags") found in an attribute issuer's SAML metadata

IssuerEntityAttributeRegexMatch

PolicyRule

Regular expression match against <mdattr:EntityAttributes> extension attributes ("tags") found in an attribute issuer's SAML metadata

ProxiedRequesterEntityAttributeExactMatch 4.2

PolicyRule

Exact match against <mdattr:EntityAttributes> extension attributes ("tags") found in a proxied requester's SAML metadata. Exact semantics of a proxy in this sense depend on the profile/protocol in use.

ProxiedRequesterEntityAttributeRegexMatch 4.2

PolicyRule

Regular expression match against <mdattr:EntityAttributes> extension attributes ("tags") found in a proxied requester's SAML metadata. Exact semantics of a proxy in this sense depend on the profile/protocol in use.

NameIDFormatExactMatch

PolicyRule

Compare against <NameIDFormat> element's inside the attribute recipient's SAML metadata

IssuerNameIDFormatExactMatch 4.1

PolicyRule

Compare against <NameIDFormat> element's inside the attribute issuer's SAML metadata

InEntityGroup

PolicyRule

Check the attribute recipient's SAML metadata for a matching <EntitiesDescriptor> or <AffiliationDescriptor>

IssuerInEntityGroup

PolicyRule

Check the attribute issuer's SAML metadata for a matching <EntitiesDescriptor> or <AffiliationDescriptor>

ProxiedRequesterInEntityGroup 4.2

PolicyRule

Check a proxied requester’s SAML metadata for a matching <EntitiesDescriptor> or <AffiliationDescriptor>. Exact semantics of a proxy in this sense depend on the profile/protocol in use.

RegistrationAuthority

PolicyRule

Match against the <rpi:RegistrationInfo> extension in an attribute recipient's SAML metadata

IssuerRegistrationAuthority

PolicyRule

Match against the <rpi:RegistrationInfo> extension in an attribute issuer's SAML metadata

ProxiedRequesterRegistrationAuthority 4.2

PolicyRule

Match against the <rpi:RegistrationInfo> extension in a proxied requester’s SAML metadata. Exact semantics of a proxy in this sense depend on the profile/protocol in use.

AttributeInMetadata

Matcher

Match attribute values against <RequestedAttribute> elements associated with an <AttributeConsumingService> in an attribute recipient's SAML metadata

ScopeMatchesShibMDScope

Matcher

Match the scopes of scoped attribute values against the <shibmd:Scope> metadata extension for the Issuer's EntityDescriptor  or appropriate  Role Descriptor.

ValueMatchesShibMDScope

Matcher

Match attribute values against the <shibmd:Scope> metadata extension for the Issuer's EntityDescriptor  or appropriate  Role Descriptor.