Page tree
Skip to end of metadata
Go to start of metadata

In V3.2.0, the need for multiple XML namespaces in the filter policy syntax was removed. With the exception of some deprecated Matchers and Policy Rules, everything can now be expressed within the urn:mace:shibboleth:2.0:afp namespace. Many of the Matchers and Policy Rules preserve the same names (so, assuming the above namespace is the default in effect, xsi:type="basic:AND" becomes xsi:type="AND"), but some have been abbreviated.

The following table shows the appropriate mappings. See AttributeFilterPolicyConfiguration for the documentation.

The legacy types will be removed upon the release of V4.0.

The table's middle column assumes that the default XML namespace in the file is urn:mace:shibboleth:2.0:afp namespace; if not, then an appropriate prefix (likely "afp") would have to be used.

Legacy TypeCurrent TypeNotes
basic:ANDAND
basic:ANYANY
basic:AttributeIssuerRegexIssuerRegex 3.4Was scheduled for deprecation as of V3.3 but is restored as of V3.4.
basic:AttributeIssuerStringIssuer 3.4Was scheduled for deprecation as of V3.3 but is restored as of V3.4.
basic:AttributeRequesterRegexRequesterRegex
basic:AttributeRequesterStringRequester
basic:AttributeScopeRegexScopeRegex
basic:AttributeScopeStringScope
basic:AttributeValueRegexValueRegex
basic:AttributeValueStringValue
basic:AuthenticationMethodRegexAuthenticationMethodRegex


basic:AuthenticationMethodStringAuthenticationMethod
basic:NOTNOT
basic:NumberOfAttributeValuesNumberOfAttributeValues
basic:OROR
basic:PredicatePredicate
basic:PrincipalNameRegexPrincipalNameRegex
basic:PrincipalNameStringPrincipalName
basic:RuleRule
basic:ScriptScript
saml:AttributeInMetadataAttributeInMetadata
saml:AttributeIssuerEntityAttributeExactMatch
Never supported in V3. Error issued.
saml:AttributeIssuerEntityAttributeRegexMatch
Never supported in V3. Error issued.
saml:AttributeIssuerInEntityGroup
Never supported in V3. Error issued.
saml:AttributeIssuerNameIDFormatExactMatch
Never supported in V3. Error issued.
saml:AttributeRequesterEntityAttributeExactMatch
saml:EntityAttributeExactMatch
EntityAttributeExactMatch
saml:AttributeRequesterEntityAttributeRegexMatch
saml:EntityAttributeRegexMatch
EntityAttributeRegexMatch
saml:AttributeRequesterInEntityGroup
saml:InEntityGroup 
InEntityGroup 

saml:AttributeRequesterNameIDFormatExactMatch
saml:NameIDFormatExactMatch

NameIDFormatExactMatch
saml:MappedAttributeInMetadataMappedAttributeInMetadata
saml:RegistrationAuthorityRegistrationAuthority
  • No labels

2 Comments

  1. It seems there are some more types in schema, but never implemented in IdP.

    Legacy TypeCurrent Type
    saml:AttributeScopeMatchesShibMDScopeAttributeScopeMatchesShibMDScope
    saml:AttributeValueMatchesShibMDScopeAttributeValueMatchesShibMDScope
    saml:AttributeIssuerRegistrationAuthorityAttributeIssuerRegistrationAuthority
    1. Yes, but not being implemented they can't have been configured so don't figure into any conversions.