Attribute Filter Policy Examples
The following examples do not illustrate all possible configuration properties or features. Refer to the attribute filter policy documentation for further information.
Release eduPersonAffiliation to Anyone
Contributed By: Chad La Joie, SWITCH
The following example demonstrates a very basic attribute filter policy. The policy contains the ANY
requirement rule, which means it will be active for every request. The explicit permit value rules state which eduPersonAffiliation
values will be released.
Show Example
<AttributeFilterPolicy id="releaseToAnyone">
<!-- Policy requirement rule indicates this policy is active for any request -->
<PolicyRequirementRule xsi:type="basic:ANY"/>
<!-- Attribute rule for the eduPersonAfffiliation attribute -->
<AttributeRule attributeID="eduPersonAffiliation">
<!-- Permit value rule that only releases the standard-specififed values for eduPersonAffiliation -->
<PermitValueRule xsi:type="basic:OR">
<Rule xsi:type="basic:AttributeValueString" value="faculty" ignoreCase="true"/>
<Rule xsi:type="basic:AttributeValueString" value="student" ignoreCase="true"/>
<Rule xsi:type="basic:AttributeValueString" value="staff" ignoreCase="true"/>
<Rule xsi:type="basic:AttributeValueString" value="alum" ignoreCase="true"/>
<Rule xsi:type="basic:AttributeValueString" value="member" ignoreCase="true"/>
<Rule xsi:type="basic:AttributeValueString" value="affiliate" ignoreCase="true"/>
<Rule xsi:type="basic:AttributeValueString" value="employee" ignoreCase="true"/>
<Rule xsi:type="basic:AttributeValueString" value="library-walk-in" ignoreCase="true"/>
</PermitValueRule>
</AttributeRule>
</AttributeFilterPolicy>
Release email Address to a Specific Service Provider
Contributed By: Chad La Joie, SWITCH
The following example demonstrates how to release the email
attribute to a service provider whose entity ID is https://sp.example.org
Show Example
<AttributeFilterPolicy id="releaseToSpExampleOrg">
<!-- Policy requirement rule that indicates this policy is only used for requests from http://sp.example.org -->
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
value="https://sp.example.org"/>
<!-- Attribute rule for the email attribute -->
<AttributeRule attributeID="email">
<!-- Permit value rule that releases any value. -->
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
Deny Personal Attribute Release if FERPA Suppression Enabled
Contributed By: Chad La Joie, SWITCH
The following example demonstrates how to deny the release of some attributes if FERPA suppression, represented by a different attribute, is enabled.
Show Example
<AttributeFilterPolicy id="denyOnFerpaSuppresion">
<!-- Policy requirement rule that indicates this policy is active if FERPA suppression is enabled. -->
<PolicyRequirementRule xsi:type="basic:AttributeValueString"
attributeID="ferpaSuppression"
value="true" />
<!-- Attribute rule for the firstName attribute -->
<AttributeRule attributeID="firstName">
<!-- Deny value rule that denies the release of any value. -->
<DenyValueRule xsi:type="basic:ANY" />
</AttributeRule>
<!-- Attribute rule for the givenName attribute -->
<AttributeRule attributeID="givenName">
<!-- Deny value rule that denies the release of any value. -->
<DenyValueRule xsi:type="basic:ANY" />
</AttributeRule>
<!-- Attribute rule for the surname attribute -->
<AttributeRule attributeID="surname">
<!-- Deny value rule that denies the release of any value. -->
<DenyValueRule xsi:type="basic:ANY" />
</AttributeRule>
<!-- Attribute rule for the address attribute -->
<AttributeRule attributeID="address">
<!-- Deny value rule that denies the release of any value. -->
<DenyValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
Attribute Filter Policy with AND plus a Nested OR
Contributed By: Eileen Roach, California Polytechnic State University, San Luis Obispo
The following example demonstrates how to release attributes to a service provider with an AND and a nested OR statement in the attribute filter policy.
Show Example
<AttributeFilterPolicy>
<PolicyRequirementRule xsi:type="basic:AND">
<basic:Rule xsi:type="basic:AttributeRequesterString" value="https://sp.testshib.org/shibboleth-sp" />
<basic:Rule xsi:type="basic:OR">
<basic:Rule xsi:type="basic:AttributeValueString" attributeID="eduPersonPrimaryAffiliation" value="staff" ignoreCase="true" />
<basic:Rule xsi:type="basic:AttributeValueString" attributeID="eduPersonPrimaryAffiliation" value="faculty" ignoreCase="true" />
</basic:Rule>
</PolicyRequirementRule>
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
Release an Attribute Bundle to any SP in an Entity Group
Contributed By: Tom Scavo, Internet2
The following example policy releases a bundle of attributes to any SP in the InCommon Federation by referencing the Name
attribute on the EntitiesDescriptor
element in the InCommon metadata aggregate.
Show Example
<AttributeFilterPolicy id="releaseToAnyInCommonSP">
<PolicyRequirementRule
xsi:type="saml:AttributeRequesterInEntityGroup"
groupID="urn:mace:incommon"/>
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="basic:ANY"/>
</AttributeRule>
<AttributeRule attributeID="email">
<PermitValueRule xsi:type="basic:ANY"/>
</AttributeRule>
<AttributeRule attributeID="displayName">
<PermitValueRule xsi:type="basic:ANY"/>
</AttributeRule>
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="basic:ANY"/>
</AttributeRule>
<AttributeRule attributeID="surname">
<PermitValueRule xsi:type="basic:ANY"/>
</AttributeRule>
</AttributeFilterPolicy>
Release an Attribute Bundle to any SP Registered by InCommon
Contributed By: Tom Scavo, Internet2
Here's a default attribute release policy that releases a bundle of attributes to any SP registered by InCommon (as indicated by an entity attribute in SP metadata):
Show Example
<AttributeFilterPolicy id="releaseEssentialAttributeBundle">
<!-- this policy is active for a requester with the following entity attribute -->
<PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://id.incommon.org/category/registered-by-incommon"/>
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="basic:ANY"/>
</AttributeRule>
<AttributeRule attributeID="email">
<PermitValueRule xsi:type="basic:ANY"/>
</AttributeRule>
<AttributeRule attributeID="displayName">
<PermitValueRule xsi:type="basic:ANY"/>
</AttributeRule>
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="basic:ANY"/>
</AttributeRule>
<AttributeRule attributeID="surname">
<PermitValueRule xsi:type="basic:ANY"/>
</AttributeRule>
</AttributeFilterPolicy>
Release an Attribute Bundle to any Research & Scholarship SP
Contributed By: Tom Scavo, Internet2
The following example policy (v2.3.4 or later) releases a bundle of attributes to a Research & Scholarship Category SP. Attribute release is based on an entity attribute in SP metadata, which is significantly easier to maintain than a policy based on entity IDs.
Show Example
<AttributeFilterPolicy id="releaseToRandS">
<!-- this policy is active for a requester with the following entity attribute -->
<PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship"/>
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="basic:ANY"/>
</AttributeRule>
<AttributeRule attributeID="email">
<PermitValueRule xsi:type="basic:ANY"/>
</AttributeRule>
<AttributeRule attributeID="displayName">
<PermitValueRule xsi:type="basic:ANY"/>
</AttributeRule>
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="basic:ANY"/>
</AttributeRule>
<AttributeRule attributeID="surname">
<PermitValueRule xsi:type="basic:ANY"/>
</AttributeRule>
</AttributeFilterPolicy>
Release a Minimal Attribute Bundle to any Research & Scholarship SP
Contributed By: Tom Scavo, Internet2
Like the previous example, the following policy (v2.4 or later) releases a bundle of attributes to a Research & Scholarship Category SP in the InCommon Federation. As before, attribute release depends on an entity attribute in SP metadata, but in this case a given attribute is released only if there is a corresponding <md:RequestedAttribute>
element in SP metadata.
Show Example
<AttributeFilterPolicy id="releaseMinimalToRandS">
<PolicyRequirementRule
xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship"/>
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
</AttributeRule>
<AttributeRule attributeID="email">
<PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
</AttributeRule>
<AttributeRule attributeID="displayName">
<PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
</AttributeRule>
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
</AttributeRule>
<AttributeRule attributeID="surname">
<PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
</AttributeRule>
</AttributeFilterPolicy>
Release Attributes only if Another Attribute Lacks a Particular Value
Contributed By: Christopher Bongaarts, University of Minnesota
This example releases eduPersonPrincipalName and displayName to the SP "https://example.org/shibboleth" only if eduPersonAffiliation does not contain the value "Student".
Show Example
<AttributeFilterPolicy id="non-student-eppn-and-name">
<PolicyRequirementRule xsi:type="basic:AND">
<basic:Rule xsi:type="basic:AttributeRequesterString" value="https://example.org/shibboleth" />
<basic:Rule xsi:type="basic:NOT">
<basic:Rule xsi:type="basic:AttributeValueString" attributeID="eduPersonAffiliation" value="Student" />
</basic:Rule>
</PolicyRequirementRule>
<AttributeRule attributeID="eppn">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
<AttributeRule attributeID="displayName">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>