The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

IdPAddAttributeFilterExamples

Owned by Former user (Deleted)
Last updated: Feb 07, 2017 by trscavo@internet2.edu
7 min read

Attribute Filter Policy Examples

The following examples do not illustrate all possible configuration properties or features. Refer to the attribute filter policy documentation for further information.

Release eduPersonAffiliation to Anyone

Contributed By: Chad La Joie, SWITCH

The following example demonstrates a very basic attribute filter policy. The policy contains the ANY requirement rule, which means it will be active for every request. The explicit permit value rules state which eduPersonAffiliation values will be released.

 Show Example
<AttributeFilterPolicy id="releaseToAnyone">

    <!-- Policy requirement rule indicates this policy is active for any request -->
    <PolicyRequirementRule xsi:type="basic:ANY"/>

    <!-- Attribute rule for the eduPersonAfffiliation attribute -->
    <AttributeRule attributeID="eduPersonAffiliation">
        <!-- Permit value rule that only releases the standard-specififed values for eduPersonAffiliation -->
        <PermitValueRule xsi:type="basic:OR">
            <Rule xsi:type="basic:AttributeValueString" value="faculty" ignoreCase="true"/>
            <Rule xsi:type="basic:AttributeValueString" value="student" ignoreCase="true"/>
            <Rule xsi:type="basic:AttributeValueString" value="staff" ignoreCase="true"/>
            <Rule xsi:type="basic:AttributeValueString" value="alum" ignoreCase="true"/>
            <Rule xsi:type="basic:AttributeValueString" value="member" ignoreCase="true"/>
            <Rule xsi:type="basic:AttributeValueString" value="affiliate" ignoreCase="true"/>
            <Rule xsi:type="basic:AttributeValueString" value="employee" ignoreCase="true"/>
            <Rule xsi:type="basic:AttributeValueString" value="library-walk-in" ignoreCase="true"/>
        </PermitValueRule>
    </AttributeRule>

</AttributeFilterPolicy>

Release email Address to a Specific Service Provider

Contributed By: Chad La Joie, SWITCH

The following example demonstrates how to release the email attribute to a service provider whose entity ID is https://sp.example.org

 Show Example
<AttributeFilterPolicy id="releaseToSpExampleOrg">

    <!-- Policy requirement rule that indicates this policy is only used for requests from http://sp.example.org -->
    <PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
                           value="https://sp.example.org"/>

    <!-- Attribute rule for the email attribute -->
    <AttributeRule attributeID="email">
        <!-- Permit value rule that releases any value. -->
        <PermitValueRule xsi:type="basic:ANY" />
    </AttributeRule>

</AttributeFilterPolicy>

Deny Personal Attribute Release if FERPA Suppression Enabled

Contributed By: Chad La Joie, SWITCH

The following example demonstrates how to deny the release of some attributes if FERPA suppression, represented by a different attribute, is enabled.

 Show Example
<AttributeFilterPolicy id="denyOnFerpaSuppresion">

    <!-- Policy requirement rule that indicates this policy is active if FERPA suppression is enabled. -->
    <PolicyRequirementRule xsi:type="basic:AttributeValueString"
                           attributeID="ferpaSuppression"
                           value="true" />

    <!-- Attribute rule for the firstName attribute -->
    <AttributeRule attributeID="firstName">
        <!-- Deny value rule that denies the release of any value. -->
        <DenyValueRule xsi:type="basic:ANY" />
    </AttributeRule>

    <!-- Attribute rule for the givenName attribute -->
    <AttributeRule attributeID="givenName">
        <!-- Deny value rule that denies the release of any value. -->
        <DenyValueRule xsi:type="basic:ANY" />
    </AttributeRule>

    <!-- Attribute rule for the surname attribute -->
    <AttributeRule attributeID="surname">
        <!-- Deny value rule that denies the release of any value. -->
        <DenyValueRule xsi:type="basic:ANY" />
    </AttributeRule>

    <!-- Attribute rule for the address attribute -->
    <AttributeRule attributeID="address">
        <!-- Deny value rule that denies the release of any value. -->
        <DenyValueRule xsi:type="basic:ANY" />
    </AttributeRule>
</AttributeFilterPolicy>

Attribute Filter Policy with AND plus a Nested OR

Contributed By: Eileen Roach, California Polytechnic State University, San Luis Obispo

The following example demonstrates how to release attributes to a service provider with an AND and a nested OR statement in the attribute filter policy.

 Show Example
  <AttributeFilterPolicy>
        <PolicyRequirementRule xsi:type="basic:AND">
            <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://sp.testshib.org/shibboleth-sp" />
            <basic:Rule xsi:type="basic:OR">
              <basic:Rule xsi:type="basic:AttributeValueString" attributeID="eduPersonPrimaryAffiliation" value="staff" ignoreCase="true" />
              <basic:Rule xsi:type="basic:AttributeValueString" attributeID="eduPersonPrimaryAffiliation" value="faculty" ignoreCase="true" />

            </basic:Rule>
        </PolicyRequirementRule>

        <AttributeRule attributeID="eduPersonPrincipalName">
            <PermitValueRule xsi:type="basic:ANY" />
        </AttributeRule>

  </AttributeFilterPolicy>

Release an Attribute Bundle to any SP in an Entity Group

Contributed By: Tom Scavo, Internet2

The following example policy releases a bundle of attributes to any SP in the InCommon Federation by referencing the Name attribute on the EntitiesDescriptor element in the InCommon metadata aggregate.

 Show Example
<AttributeFilterPolicy id="releaseToAnyInCommonSP"> 

  <PolicyRequirementRule
     xsi:type="saml:AttributeRequesterInEntityGroup"
     groupID="urn:mace:incommon"/>

  <AttributeRule attributeID="eduPersonPrincipalName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="email">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="displayName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="givenName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="surname">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
</AttributeFilterPolicy>

Releasing attributes "to a federation" in this way assumes all of the SPs in the aggregate are equally trustworthy. If the aggregate corresponds to a single federation with adequate privacy controls, such a policy might be warranted. In other situations, it might be preferable to restrict the release of attributes to SPs that meet certain requirements. One approach is to restrict attribute release to SPs possessing a particular entity attribute, as shown in the example below.

Release an Attribute Bundle to any SP Registered by InCommon

Contributed By: Tom Scavo, Internet2

Here's a default attribute release policy that releases a bundle of attributes to any SP registered by InCommon (as indicated by an entity attribute in SP metadata):

 Show Example
<AttributeFilterPolicy id="releaseEssentialAttributeBundle">

  <!-- this policy is active for a requester with the following entity attribute -->
  <PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://id.incommon.org/category/registered-by-incommon"/>

  <AttributeRule attributeID="eduPersonPrincipalName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="email">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="displayName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="givenName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="surname">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>

</AttributeFilterPolicy>

Release an Attribute Bundle to any Research & Scholarship SP

Contributed By: Tom Scavo, Internet2

The following example policy (v2.3.4 or later) releases a bundle of attributes to a Research & Scholarship Category SP. Attribute release is based on an entity attribute in SP metadata, which is significantly easier to maintain than a policy based on entity IDs.

 Show Example
<AttributeFilterPolicy id="releaseToRandS">

  <!-- this policy is active for a requester with the following entity attribute -->
  <PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://refeds.org/category/research-and-scholarship"/>
 
  <AttributeRule attributeID="eduPersonPrincipalName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="email">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="displayName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="givenName">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
  <AttributeRule attributeID="surname">
    <PermitValueRule xsi:type="basic:ANY"/>
  </AttributeRule>
 
</AttributeFilterPolicy>

Release a Minimal Attribute Bundle to any Research & Scholarship SP

Contributed By: Tom Scavo, Internet2

Like the previous example, the following policy (v2.4 or later) releases a bundle of attributes to a Research & Scholarship Category SP in the InCommon Federation. As before, attribute release depends on an entity attribute in SP metadata, but in this case a given attribute is released only if there is a corresponding <md:RequestedAttribute> element in SP metadata.

 Show Example
<AttributeFilterPolicy id="releaseMinimalToRandS">
 
  <PolicyRequirementRule
      xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://refeds.org/category/research-and-scholarship"/>
 
  <AttributeRule attributeID="eduPersonPrincipalName">
    <PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </AttributeRule>
  <AttributeRule attributeID="email">
    <PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </AttributeRule>
  <AttributeRule attributeID="displayName">
    <PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </AttributeRule>
  <AttributeRule attributeID="givenName">
    <PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </AttributeRule>
  <AttributeRule attributeID="surname">
    <PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
  </AttributeRule>
</AttributeFilterPolicy>

Release Attributes only if Another Attribute Lacks a Particular Value

Contributed By: Christopher Bongaarts, University of Minnesota

This example releases eduPersonPrincipalName and displayName to the SP "https://example.org/shibboleth" only if eduPersonAffiliation does not contain the value "Student".

 Show Example
<AttributeFilterPolicy id="non-student-eppn-and-name">
    <PolicyRequirementRule xsi:type="basic:AND">
        <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://example.org/shibboleth" />
        <basic:Rule xsi:type="basic:NOT">
            <basic:Rule xsi:type="basic:AttributeValueString" attributeID="eduPersonAffiliation" value="Student" />
        </basic:Rule>
    </PolicyRequirementRule>
    <AttributeRule attributeID="eppn">
        <PermitValueRule xsi:type="basic:ANY" />
    </AttributeRule>
    <AttributeRule attributeID="displayName">
        <PermitValueRule xsi:type="basic:ANY" />
    </AttributeRule>
</AttributeFilterPolicy>