NOTConfiguration

Namespace: urn:mace:shibboleth:2.0:afp
Schema: http://shibboleth.net/schema/idp/shibboleth-afp.xsd

Overview

The NOT type is one of a very few filter plugin types which can function as a PolicyRule or a Matcher. It takes its behavior from its location. If it is defined within a <PolicyRequirementRule> (either directly or as a child of other logical operations), then it acts as a PolicyRule, otherwise it acts as a Matcher.

Reference

XML Elements

Exactly one <Rule> element must be present (interpreted as either <PolicyRequirementRule> or <PermitValueRule>/<DenyValueRule> based on the context).

PolicyRule Semantics

When used as a PolicyRule, the result is the logical negation of the evaluation of the child rule.

Example

The example reads "Apply this rule if the SP is not named https://sp.example.org".

<PolicyRequirementRule xsi:type="NOT"> <basic:Rule xsi:type="Requester" value="https://sp.example.org" /> </PolicyRequirementRule>

Matcher Semantics

When used as a Matcher, the allow or deny set result is the inverse of the sets of values returned by the child rule; that is, every value which is in the IdPAttribute which was not in the set resulting from the child rule.

Example

The example reads "Release all values for the attribute 'eduPersonEntitlement' except (if present) 'urn:mace:dir:entitlement:common-lib-terms'".

<AttributeRule attributeID="eduPersonEntitlement"> <PermitValueRule xsi:type="NOT"> <Rule xsi:type="Value" value="urn:mace:dir:entitlement:common-lib-terms" /> </PermitValueRule> </AttributeRule>

Â