AttributeFilterPolicyConfiguration
- Scott Cantor
- Rod Widdowson
- Jonathan Zhao
Namespace: urn:mace:shibboleth:2.0:afp
Schema: http://shibboleth.net/schema/idp/shibboleth-afp.xsd
Overview
An <AttributeFilterPolicy> element describes one set of filtering behaviors. It consists of two parts:
The
<PolicyRequirementRule>which describes when the rule should be applied.A series of
<AttributeRule>elements which describe what the rule does.
In each of these elements, what happens is defined by the xsi:type of the element; that is, the elements are plug-in points and the type indicates what plugin is used.
Reference
Rule Types
As described elsewhere, both <PolicyRequirementRule> and <AttributeRule> elements can leverage any supported component type, although it is more usual for the <PolicyRequirementRule> to be a PolicyRule component and for an <AttributeRule> to be a Matcher component (these terms are defined here).
RuleType | Function |
| |
|---|---|---|---|
| PolicyRule | Logically TRUE |
|
Matcher | Set Unity |
| |
| PolicyRule | Logical AND |
|
Matcher | Set Intersection |
| |
| PolicyRule | Logical OR |
|
Matcher | Set Union |
| |
| PolicyRule | Logical NOT |
|
Matcher | Set Inversion |
| |
Profile | PolicyRule | Compare the active profile identifier to a string |
|
Predicate | PolicyRule | Call an externally-defined predicate |
|
Outbound | PolicyRule | Applies iff the system is filtering attributes that are being released to an external system (i.e., an SP). This is the "traditional" use of the filtering service. |
|
Inbound | PolicyRule | Applies iff the system is filtering attributes that have been received from an external system (i.e, another IdP). |
|
Requester | PolicyRule | Compare the attribute recipient's name (typically an SP's entityID) to a string |
|
ProxiedRequester | PolicyRule | Compare a proxied attribute recipient's name (typically an SP's entityID) to a string |
|
Issuer | PolicyRule | Compare the attribute issuer's name (typically a proxied IdP's entityID) to a string |
|
PrincipalName | PolicyRule | Compare the principal name to a string |
|
Value | Matcher, or PolicyRule if | Compare attribute values to a string |
|
Scope | Matcher, or PolicyRule if | Compare the scope of a Scoped attribute value to a string |
|
RequesterRegex | PolicyRule | Match the attribute recipient's name (typically an SP's entityID) to a regular expression |
|
ProxiedRequesterRegex | PolicyRule | Match a proxied attribute recipient's name (typically an SP's entityID) to a regular expression |
|
IssuerRegex | PolicyRule | Match the attribute issuer's name (typically a proxied IdP's entityID) to a regular expression |
|
PrincipalNameRegex | PolicyRule | Match the principal name to a regular expression |
|
ValueRegex | Matcher, or PolicyRule if | Match attribute values to a regular expression |
|
ScopeRegex | Matcher, or PolicyRule if | Match the scopes of scoped attribute values to a regular expression |
|
Script | Both | Use a Java scripting language to implement a custom PolicyRule or Matcher |
|
NumberOfAttributeValues | PolicyRule | Count the number of values for the specified Attribute |
|
EntityAttributeExactMatch | PolicyRule | Exact match against |
|
EntityAttributeRegexMatch | PolicyRule | Regular expression match against |
|
IssuerEntityAttributeExactMatch | PolicyRule | Exact match against |
|
IssuerEntityAttributeRegexMatch | PolicyRule | Regular expression match against |
|
ProxiedRequesterEntityAttributeExactMatch | PolicyRule | Exact match against |
|
ProxiedRequesterEntityAttributeRegexMatch | PolicyRule | Regular expression match against |
|
NameIDFormatExactMatch | PolicyRule | Compare against |
|
IssuerNameIDFormatExactMatch | PolicyRule | Compare against |
|
InEntityGroup | PolicyRule | Check the attribute recipient's SAML metadata for a matching |
|
IssuerInEntityGroup | PolicyRule | Check the attribute issuer's SAML metadata for a matching |
|
ProxiedRequesterInEntityGroup | PolicyRule | Check a proxied requester’s SAML metadata for a matching |
|
RegistrationAuthority | PolicyRule | Match against the |
|
IssuerRegistrationAuthority | PolicyRule | Match against the |
|
ProxiedRequesterRegistrationAuthority | PolicyRule | Match against the |
|
ProtocolSupportConfiguration 5.2 | PolicyRule | Match against the |
|
| |||
ProxiedRequesterProtocolSupportC 5.2 | PolicyRule | Match against the |
|
IssuerProtocolSupport 5.2 | PolicyRule | Match against the |
|
AttributeInMetadata | Matcher | Match attribute values against |
|
ScopeMatchesShibMDScope | Matcher | Match the scopes of scoped attribute values against the |
|
ValueMatchesShibMDScope | Matcher | Match attribute values against the |
|