The following example is the ARPs used by the OhioLINK staff IdP. It releases the eduPersonPrincipalName attribute only to the OhioLINK servers and Internet2.
<?xml version="1.0" encoding="UTF-8"?>
<AttributeReleasePolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:mace:shibboleth:arp:1.0" xsi:schemaLocation="urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd" >
<Description>OhioLINK Staff ARP</Description>
<Rule>
<Target>
<Requester matchFunction="urn:mace:shibboleth:arp:matchFunction:regexMatch">
https://.+\.ohiolink\.edu/shibboleth
</Requester>
</Target>
<Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName">
<AnyValue release="permit"/>
</Attribute>
</Rule>
<Rule>
<Target>
<Requester matchFunction="urn:mace:shibboleth:arp:matchFunction:exactShar">
https://spaces.internet2.edu/shibboleth
</Requester>
</Target>
<Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName">
<AnyValue release="permit"/>
</Attribute>
</Rule>
</AttributeReleasePolicy> |
|