The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.


Script Attribute Filter Matching Rule

This matching rules evaluates a script to determine if the rule returns true or false. The default scripting language is ECMAscript (javascript) but any any JSR223 script language may be used.

Define the Rule

This rule is defined by the element <PolicyRequirementRule xsi:type="basic:Script">, for policy requirements rules, and <PermitValueRule xsi:type="basic:Script">, for permit value rules, with the following attributes:

  • language - identifies the scripting language to use, this attribute is optional (default: javascript)

The script to use is given either directly within the rule by the use of the <Script> element or in a file whose path is given in the <ScriptFile> element. Only one of these elements may be used within any given script rule definition.

The defined script must return a boolean value when evaluated. The current edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethFilteringContext object is bound to an script attribute called filterContext, the ID of the attribute currently being evaluated is bound to a script attribute called attributeId, the current attribute value being evaluated is bound to a script attribute called attributeValue.

According to the ECMAScript standard (ECMA-262, 3rd edition), "An ECMAScript program is considered syntactically incorrect if it contains a return statement that is not within a FunctionBody.". Therefore, you must first define a function and then invoke it within your script as show in the example below. Note, as the last statement in the script, the result of the function call will automatically be returned as the value of the script.

Example Policy Requirement Rule using the Script Match Function
<PolicyRequirementRule xsi:type="basic:Script">
            function evaluateRule(filterContext, attributeId, attributeValue) {
               if (attributeId == null) return true;
               if (attributeValue == null) return true;
               return filterContext.getAttributeRequestContext().getAttributes().get("uid").equals("jsmith");
            evaluateRule(filterContext, attributeId, attributeValue);

It is recommended that you wrap inline-defined scripts within a CDATA section to prevent the possible inclusion of invalid characters.