AttributeFilterPolicyConfiguration
Namespace: urn:mace:shibboleth:2.0:afp
Schema: http://shibboleth.net/schema/idp/shibboleth-afp.xsd
Overview
An <AttributeFilterPolicy> element describes one set of filtering behaviors. It consists of two parts:
The
<PolicyRequirementRule>which describes when the rule should be applied.A series of
<AttributeRule>elements which describe what the rule does.
In each of these elements, what happens is defined by the xsi:type of the element; that is, the elements are plug-in points and the type indicates what plugin is used.
Reference
As described elsewhere, both <PolicyRequirementRule> and <AttributeRule> elements can leverage any supported component type, although it is more usual for the <PolicyRequirementRule> to be a PolicyRule component and for an <AttributeRule> to be a Matcher component (these terms are defined here).
RuleType | Function | |
|---|---|---|
| PolicyRule | Logically TRUE |
Matcher | Set Unity | |
PolicyRule | Logical AND | |
Matcher | Set Intersection | |
PolicyRule | Logical OR | |
Matcher | Set Union | |
PolicyRule | Logical NOT | |
Matcher | Set Inversion | |
PolicyRule | Compare the active profile identifier to a string | |
PolicyRule | Call an externally-defined predicate | |
Outbound | PolicyRule | Applies iff the system is filtering attributes that are being released to an external system (i.e., an SP). This is the "traditional" use of the filtering service. |
Inbound | PolicyRule | Applies iff the system is filtering attributes that have been received from an external system (i.e, another IdP). |
PolicyRule | Compare the attribute recipient's name (typically an SP's entityID) to a string | |
PolicyRule | Compare a proxied attribute recipient's name (typically an SP's entityID) to a string | |
PolicyRule | Compare the attribute issuer's name (typically a proxied IdP's entityID) to a string | |
PolicyRule | Compare the principal name to a string | |
Matcher, or PolicyRule if | Compare attribute values to a string | |
Matcher, or PolicyRule if | Compare the scope of a Scoped attribute value to a string | |
PolicyRule | Match the attribute recipient's name (typically an SP's entityID) to a regular expression | |
PolicyRule | Match a proxied attribute recipient's name (typically an SP's entityID) to a regular expression | |
PolicyRule | Match the attribute issuer's name (typically a proxied IdP's entityID) to a regular expression | |
PolicyRule | Match the principal name to a regular expression | |
Matcher, or PolicyRule if | Match attribute values to a regular expression | |
Matcher, or PolicyRule if | Match the scopes of scoped attribute values to a regular expression | |
Both | Use a Java scripting language to implement a custom PolicyRule or Matcher | |
PolicyRule | Count the number of values for the specified Attribute | |
PolicyRule | Exact match against | |
PolicyRule | Regular expression match against | |
PolicyRule | Exact match against | |
PolicyRule | Regular expression match against | |
PolicyRule | Exact match against | |
PolicyRule | Regular expression match against | |
PolicyRule | Compare against | |
PolicyRule | Compare against | |
PolicyRule | Check the attribute recipient's SAML metadata for a matching | |
PolicyRule | Check the attribute issuer's SAML metadata for a matching | |
PolicyRule | Check a proxied requester’s SAML metadata for a matching | |
PolicyRule | Match against the | |
PolicyRule | Match against the | |
PolicyRule | Match against the | |
PolicyRule | Match against the | |
PolicyRule | Match against the | |
PolicyRule | Match against the | |
Matcher | Match attribute values against | |
Matcher | Match the scopes of scoped attribute values against the | |
Matcher | Match attribute values against the |