The Shibboleth IdP V4 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP5 wiki space for current documentation on the supported version.
ProxiedRequesterInEntityGroupConfiguration
This feature requires V4.2 and above.
Namespace: urn:mace:shibboleth:2.0:afp
Schema: http://shibboleth.net/schema/idp/shibboleth-afp.xsd
Overview
The InEntityGroup
type is a PolicyRule that returns true if the Name of any of the surrounding <EntitiesDescriptor>
metadata of a proxied requester matches the supplied parameter or whether the entity's metadata contains a matching <AffiliationDescriptor>
.
The notion of a “proxied requester” varies by profile/protocol/use case, and generally does not involve metadata. This rule can be applied in cases where metadata may be available (and is actually being accessed).
Membership in a group is rarely an effective way of making policy decisions because hierarchies are inherently limiting and metadata sources tend not to align well to policy.
In general, base your attribute release policy on the characteristics of entity metadata only: SP entityID, entity attributes, and registration info. Avoid policy based on the characteristics of the aggregate itself. If you do rely on groups, prefer the <AffiliationDescriptor>
mechanism which allows group membership to be separate from the entities themselves.
Reference
XML Attributes
Name | Type | Req? | Default | Description |
---|---|---|---|---|
groupID | String | Y |
| The |
checkAffiliations | Boolean |
| false | Whether to check metadata for |
Example
Apply this rule if the entity for the SP is included in an <EntitiesDescriptor>
or <AffiliationDescriptor>
named urn:mace:example.org
<PolicyRequirementRule xsi:type="ProxiedRequesterInEntityGroup" groupID="urn:mace:example.org" checkAffiliatons="true"/>