AttributeFilterPolicyConfiguration
Namespace: urn:mace:shibboleth:2.0:afp
Schema: http://shibboleth.net/schema/idp/shibboleth-afp.xsd
Overview
An <AttributeFilterPolicy>
element describes one set of filtering behaviors. It consists of two parts:
The
<PolicyRequirementRule>
which describes when the rule should be applied.A series of
<AttributeRule>
elements which describe what the rule does.
In each of these elements, what happens is defined by the xsi:type
of the element; that is, the elements are plug-in points and the type indicates what plugin is used.
Reference
Rule Types
As described elsewhere, both <PolicyRequirementRule>
and <AttributeRule>
elements can leverage any supported component type, although it is more usual for the <PolicyRequirementRule>
to be a PolicyRule component and for an <AttributeRule>
to be a Matcher component (these terms are defined here).
RuleType | Function | |
---|---|---|
| PolicyRule | Logically TRUE |
Matcher | Set Unity | |
| PolicyRule | Logical AND |
Matcher | Set Intersection | |
| PolicyRule | Logical OR |
Matcher | Set Union | |
| PolicyRule | Logical NOT |
Matcher | Set Inversion | |
Profile | PolicyRule | Compare the active profile identifier to a string |
Predicate | PolicyRule | Call an externally-defined predicate |
Outbound | PolicyRule | Applies iff the system is filtering attributes that are being released to an external system (i.e., an SP). This is the "traditional" use of the filtering service. |
Inbound | PolicyRule | Applies iff the system is filtering attributes that have been received from an external system (i.e, another IdP). |
Requester | PolicyRule | Compare the attribute recipient's name (typically an SP's entityID) to a string |
ProxiedRequester | PolicyRule | Compare a proxied attribute recipient's name (typically an SP's entityID) to a string |
Issuer | PolicyRule | Compare the attribute issuer's name (typically a proxied IdP's entityID) to a string |
PrincipalName | PolicyRule | Compare the principal name to a string |
Value | Matcher, or PolicyRule if | Compare attribute values to a string |
Scope | Matcher, or PolicyRule if | Compare the scope of a Scoped attribute value to a string |
RequesterRegex | PolicyRule | Match the attribute recipient's name (typically an SP's entityID) to a regular expression |
ProxiedRequesterRegex | PolicyRule | Match a proxied attribute recipient's name (typically an SP's entityID) to a regular expression |
IssuerRegex | PolicyRule | Match the attribute issuer's name (typically a proxied IdP's entityID) to a regular expression |
PrincipalNameRegex | PolicyRule | Match the principal name to a regular expression |
ValueRegex | Matcher, or PolicyRule if | Match attribute values to a regular expression |
ScopeRegex | Matcher, or PolicyRule if | Match the scopes of scoped attribute values to a regular expression |
Script | Both | Use a Java scripting language to implement a custom PolicyRule or Matcher |
NumberOfAttributeValues | PolicyRule | Count the number of values for the specified Attribute |
EntityAttributeExactMatch | PolicyRule | Exact match against |
EntityAttributeRegexMatch | PolicyRule | Regular expression match against |
IssuerEntityAttributeExactMatch | PolicyRule | Exact match against |
IssuerEntityAttributeRegexMatch | PolicyRule | Regular expression match against |
ProxiedRequesterEntityAttributeExactMatch | PolicyRule | Exact match against |
ProxiedRequesterEntityAttributeRegexMatch | PolicyRule | Regular expression match against |
NameIDFormatExactMatch | PolicyRule | Compare against |
IssuerNameIDFormatExactMatch | PolicyRule | Compare against |
InEntityGroup | PolicyRule | Check the attribute recipient's SAML metadata for a matching |
IssuerInEntityGroup | PolicyRule | Check the attribute issuer's SAML metadata for a matching |
ProxiedRequesterInEntityGroup | PolicyRule | Check a proxied requester’s SAML metadata for a matching |
RegistrationAuthority | PolicyRule | Match against the |
IssuerRegistrationAuthority | PolicyRule | Match against the |
ProxiedRequesterRegistrationAuthority | PolicyRule | Match against the |
AttributeInMetadata | Matcher | Match attribute values against |
ScopeMatchesShibMDScope | Matcher | Match the scopes of scoped attribute values against the |
ValueMatchesShibMDScope | Matcher | Match attribute values against the |