The Shibboleth IdP V4 software will leave support on September 1, 2024.
NOTConfiguration
Namespace: urn:mace:shibboleth:2.0:afp
Schema: http://shibboleth.net/schema/idp/shibboleth-afp.xsd
- 1 Overview
- 2 Reference
- 2.1 XML Elements
- 3 PolicyRule Semantics
- 3.1 Example
- 4 Matcher Semantics
- 4.1 Example
Overview
The NOT type is one of a very few filter plugin types which can function as a PolicyRule or a Matcher. It takes its behavior from its location. If it is defined within a <PolicyRequirementRule> (either directly or as a child of other logical operations), then it acts as a PolicyRule, otherwise it acts as a Matcher.
Reference
XML Elements
Exactly one <Rule> element must be present (interpreted as either <PolicyRequirementRule> or <PermitValueRule>/<DenyValueRule> based on the context).
PolicyRule Semantics
When used as a PolicyRule, the result is the logical negation of the evaluation of the child rule.
Example
The example reads "Apply this rule if the SP is not named https://sp.example.org".
<PolicyRequirementRule xsi:type="NOT">
<basic:Rule xsi:type="Requester" value="https://sp.example.org" />
</PolicyRequirementRule>Matcher Semantics
When used as a Matcher, the allow or deny set result is the inverse of the sets of values returned by the child rule; that is, every value which is in the IdPAttribute which was not in the set resulting from the child rule.
Example
The example reads "Release all values for the attribute 'eduPersonEntitlement' except (if present) 'urn:mace:dir:entitlement:common-lib-terms'".
<AttributeRule attributeID="eduPersonEntitlement">
<PermitValueRule xsi:type="NOT">
<Rule xsi:type="Value" value="urn:mace:dir:entitlement:common-lib-terms" />
</PermitValueRule>
</AttributeRule>