ScopeConfiguration

Namespace: urn:mace:shibboleth:2.0:afp
Schema: http://shibboleth.net/schema/idp/shibboleth-afp.xsd

Overview

The Scope type compares the scope portion of scoped attributes values against the supplied string.

The Scope type can be a Matcher or a PolicyRequirement.

If no attributeID attribute is specified then it is a Matcher (returning that value if it is present amongst the filtered attribute's values' scopes, and the empty set otherwise).
If an attributeID attribute is specified then it is a PolicyRule (returning true if that that is present amongst the values' scopes for the specified attribute).

Name	Type	Default	Description

Name	Type	Default	Description
attributeID	String		If this is present, then this is a PolicyRule returning true if the matching attribute contains a value with the supplied scope. If this is not present, then this is a Matcher returning that value if it is present amongst the values, and the empty set otherwise.
value	String		Required, the scope value to match against
caseSensitive	Boolean	false	Optional, specifies how to perform the comparison

Apply this rule if the attribute "epsa" contains a value with scope "example.org" :

<PolicyRequirementRule xsi:type="Scope" value="example.org" attributeID="epsa"/>

If any scoped value of the attribute "epsa" has the scope "example.org" then add it to the permitted values to be release for "uid":

<AttributeRule attributeID="epsa">
   <PermitValueRule xsi:type="Scope" value="example.org" caseSentitive="false" />
</AttributeRule>

Apply this rule if any attribute contains a scoped value with scope "example.org":

<PolicyRequirementRule xsi:type="Scope" value="example.org"/>

If the attribute "epsa" contains a scoped value with scope "example.org" then release all values of "email":