The Shibboleth IdP V4 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP5 wiki space for current documentation on the supported version.
AttributeFilterPolicyConfiguration
Namespace: urn:mace:shibboleth:2.0:afp
Schema: http://shibboleth.net/schema/idp/shibboleth-afp.xsd
Overview
An <AttributeFilterPolicy>
element describes one set of filtering behaviors. It consists of two parts:
The
<PolicyRequirementRule>
which describes when the rule should be applied.A series of
<AttributeRule>
elements which describe what the rule does.
In each of these elements, what happens is defined by the xsi:type
of the element; that is, the elements are plug-in points and the type indicates what plugin is used.
Reference
Rule Types
As described elsewhere, both <PolicyRequirementRule>
and <AttributeRule>
elements can leverage any supported plugin type, although it is more usual for the <PolicyRequirementRule>
to be a PolicyRule plugin and for an <AttributeRule>
to be a Matcher plugin (these terms are defined here).
RuleType | Function | |
---|---|---|
| PolicyRule | Logically TRUE |
Matcher | Set Unity | |
| PolicyRule | Logical AND |
Matcher | Set Intersection | |
| PolicyRule | Logical OR |
Matcher | Set Union | |
| PolicyRule | Logical NOT |
Matcher | Set Inversion | |
Profile 4.2 | PolicyRule | Compare the active profile identifier to a string |
Predicate | PolicyRule | Call an externally-defined predicate |
Outbound | PolicyRule | Applies iff the system is filtering attributes that are being released to an external system (i.e., an SP). This is the "traditional" use of the filtering service. |
Inbound | PolicyRule | Applies iff the system is filtering attributes that have been received from an external system (i.e, another IdP). |
Requester | PolicyRule | Compare the attribute recipient's name (typically an SP's entityID) to a string |
ProxiedRequester | PolicyRule | Compare a proxied attribute recipient's name (typically an SP's entityID) to a string |
Issuer | PolicyRule | Compare the attribute issuer's name (typically a proxied IdP's entityID) to a string |
PrincipalName | PolicyRule | Compare the principal name to a string |
Value | Matcher, or PolicyRule if | Compare attribute values to a string |
Scope | Matcher, or PolicyRule if | Compare the scope of a Scoped attribute value to a string |
RequesterRegex | PolicyRule | Match the attribute recipient's name (typically an SP's entityID) to a regular expression |
ProxiedRequesterRegex | PolicyRule | Match a proxied attribute recipient's name (typically an SP's entityID) to a regular expression |
IssuerRegex | PolicyRule | Match the attribute issuer's name (typically a proxied IdP's entityID) to a regular expression |
PrincipalNameRegex | PolicyRule | Match the principal name to a regular expression |
ValueRegex | Matcher, or PolicyRule if | Match attribute values to a regular expression |
ScopeRegex | Matcher, or PolicyRule if | Match the scopes of scoped attribute values to a regular expression |
Script | Both | Use a Java scripting language to implement a custom PolicyRule or Matcher |
NumberOfAttributeValues | PolicyRule | Count the number of values for the specified Attribute |
EntityAttributeExactMatch | PolicyRule | Exact match against |
EntityAttributeRegexMatch | PolicyRule | Regular expression match against |
IssuerEntityAttributeExactMatch | PolicyRule | Exact match against |
IssuerEntityAttributeRegexMatch | PolicyRule | Regular expression match against |
ProxiedRequesterEntityAttributeExactMatch 4.2 | PolicyRule | Exact match against |
ProxiedRequesterEntityAttributeRegexMatch 4.2 | PolicyRule | Regular expression match against |
NameIDFormatExactMatch | PolicyRule | Compare against |
IssuerNameIDFormatExactMatch 4.1 | PolicyRule | Compare against |
InEntityGroup | PolicyRule | Check the attribute recipient's SAML metadata for a matching |
IssuerInEntityGroup | PolicyRule | Check the attribute issuer's SAML metadata for a matching |
ProxiedRequesterInEntityGroup 4.2 | PolicyRule | Check a proxied requester’s SAML metadata for a matching |
RegistrationAuthority | PolicyRule | Match against the |
IssuerRegistrationAuthority | PolicyRule | Match against the |
ProxiedRequesterRegistrationAuthority 4.2 | PolicyRule | Match against the |
AttributeInMetadata | Matcher | Match attribute values against |
ScopeMatchesShibMDScope | Matcher | Match the scopes of scoped attribute values against the |
ValueMatchesShibMDScope | Matcher | Match attribute values against the |