Overview
Each <AttributeRule> defines a filter operation to be applied to the values one specified attribute.
Each rule is either a permit rule in which case the filtered values are added to the permit list as described here or a deny rule in which case the filtered attributes are added to the deny list as described.
Examples
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="Value" value="jsmith" ignoreCase="true" />
</AttributeRule>
Reference
Schema Name
Elements and types described in this page and its children are defined by the urn:mace:shibboleth:2.0:afp (afp:) schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd.
In addition, IdP versions prior to 3.2.0 used the following schemas.
- by the
urn:mace:shibboleth:2.0:afp:mf:basic(basic:) schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-basic.xsd. - by the
urn:mace:shibboleth:2.0:afp:mf:saml(saml:) schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-saml.xsd.
Use of these schemas is still supported ifrom V3.2.0, but not required. Types defined in these two schemas, have corresponding types, with the same, or a truncated version of the name. The full tables of legacy to current mapping is given here.
Attributes
| Name | Type | Description |
|---|---|---|
| attributeID | String | This required attributes specifies the attribute name (as defined by an AttributeDefinition statement in the attribute-resolver.xml file |
| permitAny | boolean | If this is present and is "true", then there no child elements should be provided and the entire statement is shorthand for <AttributeRule attributeID="..."> <PermitValueRule xsi:type="ANY" /> |
Child Elements
One of the either <DenyValueRule> or <PermitValueRule> is specified as a child element. These elements must have a type specified by the xsi:type being one of the Common Types.
This rule should be of a matcher type. If it is of PolicyRule type then it will be converted as described here.