Writing an Attribute Release Rule

An attribute release rule specify which values for which attributes are released to which service providers. A collection of attribute release rules are referred to an attribute release policy.

Attribute release rules are specified in the arp.site.xml file.

Writting the Rule

1. Create a Rule element

2. Optionally create a Description element, child of the Rule element, whose content is a description of this rule.

3. Create a Target element, child of the Rule element whose content.

4. If you want to the rule to apply to any service provider create an AnyTarget element, child of the Target element.

5. If you want the rule to apply to a specific service provider(s) create a Requester element with the following attribute and whose content is the string to match:

   • matchFunction - contains the URI identifier of the function used to evaluate if the content of the Requester element matches the service provider entity ID requesting attributes

6. Create an Attribute element, child of the Rule element, with the following attribute:

   • name - the name of the attribute this rule applies to, this must match the value of the id attribute on the attribute's definition in the resolver.xml configuration file

7. If you want to all attribute values to be released to the service providers this rule applies to create an AnyValue element, child of the Attribute element

8. If you want to restrict the values released to the service providers this rule applies to create a Value element, child of the Attribute element with the following attribute and whose content is the string to match:

   • matchFunction - contains the URI identifier of the function used to evaluate if the content of the Value element matches the possible value(s) of the attribute

   • release - whether to permit the release of the attributes that match this rule or deny them; permissible values "permit" and "deny"

The Rule element must contain exactly one Target element, followed by 0-to-many Attribute elements, followed by 0-to-many AttributeReference elements. Note the ordering:  the Target element must apprear before the Attribute elements.  More than one Requestor element may appear in a Target element. More than one Value element may appear within an Attribute element.

Match Functions

Match functions determine if a given service provider ID or attribute value match a given criteria. The following match functions ship with Shibboleth.

• urn:mace:shibboleth:arp:matchFunction:stringMatch - checks if a service provider ID or attribute value exactly matches the given criteria

• urn:mace:shibboleth:arp:matchFunction:stringNotMatch - checks if a service provider ID or attribute value does not exactly matches the given criteria

• urn:mace:shibboleth:arp:matchFunction:regexMatch - evaluates a regular expression and indicates a match if the regular expression matches the provider ID or attribute value

• urn:mace:shibboleth:arp:matchFunction:regexNotMatch - evaluates a regular expression and indicates a match if the regular expression does not match the provider ID or attribute value

• urn:mace:shibboleth:arp:matchFunction:anyValueMatch - matches any non-null string

Example Configuration

This rule releases any value of the eduPersonAffiliation attribute to any service provider

This rule releases most group values, but not administrative ones, to service providers from Brown University

Advanced Feature: ARP Constraints