Page tree
Skip to end of metadata
Go to start of metadata

Overview

An <AttributeFilterPolicy> element describes one set of filtering behaviors.  Informally it consists of two parts:

  1. The <PolicyRequirementRule> which describes when the rule should be applied.
  2. A series of <AttributeRule> elements which describe what the rule does.

In each of these elements, what happens is defined by the xsi:type of the element; that is, the elements are plug-in points and the type indicates what plugin is used.

Reference

Schema Name

Elements and types described in this page and its children are defined by the urn:mace:shibboleth:2.0:afp namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd

In addition, IdP versions prior to 3.2.0 used the following schemas:

Use of these additional namespaces remains supported in newer versions, but is not required or advised in newer deployments, and they will be removed from V4.0. Plugin types defined in these two namespaces have corresponding types with the same, or a truncated version of, the name. The tables of legacy to current name mappings are given here.

Attributes

None.

Child Elements

NameCardinalityDescription

<PolicyRequirementRule>

1Describes the conditions under which the rule applies to a request

<AttributeRule>

1 or moreDescribes the precise rules to apply if the PolicyRequirementRule applies

Common Rule Types

As described elsewhere, both <PolicyRequirementRule> and <AttributeRule> elements can leverage any supported plugin type, although it is more usual for the <PolicyRequirementRule> to be a PolicyRule plugin and for an <AttributeRule> to be a Matcher plugin (these terms are defined here).

The list below gives the V3.2+ type name (the point at which the additional namespace complexity was removed). For the older (and V2-compatible) type name, consult the AttributeFilterLegacyNameSpaceMapping information.

RuleTypePolicyRule or MatcherFunction


ANY

PolicyRuleLogically TRUE
MatcherSet Unity


AND

PolicyRuleLogical AND
Matcher Set Intersection


OR

PolicyRuleLogical OR
Matcher Set Union


NOT

PolicyRuleLogical NOT
MatcherSet Inversion

Predicate

PolicyRule

Call an externally-defined predicate

Requester

PolicyRuleCompare the attribute recipient's name (typically an SP's entityID) to a string

ProxiedRequester 3.4

PolicyRuleCompare a proxied attribute recipient's name (typically an SP's entityID) to a string

Issuer 3.4

PolicyRuleCompare the attribute issuer's name (typically the IdP's entityID) to a string

PrincipalName

PolicyRuleCompare the principal name to a string

AuthenticationMethod

PolicyRuleCompare the authentication method to a string


Value

Matcher, or PolicyRule if attributeID specified 

Compare attribute values to a string

Scope

Matcher, or PolicyRule if attributeID specifiedCompare the scope of a Scoped attribute value to a string

RequesterRegex

PolicyRuleMatch the attribute recipient's name (typically an SP's entityID) to a regular expression

ProxiedRequesterRegex 3.4

PolicyRuleMatch a proxied attribute recipient's name (typically an SP's entityID) to a regular expression

IssuerRegex 3.4

PolicyRuleMatch the attribute issuer's name (typically the IdP's entityID) to a regular expression

PrincipalNameRegex

PolicyRuleMatch the principal name to a regular expression

AuthenticationMethodRegex

PolicyRuleMatch the authentication method to a regular expression

ValueRegex

Matcher, or PolicyRule if attributeID specifiedMatch attribute values to a regular expression

ScopeRegex

Matcher, or PolicyRule if attributeID specifiedMatch the scopes of scoped attribute values to a regular expression

Script

BothUse a Java scripting language to implement a custom PolicyRule or Matcher

NumberOfAttributeValues

PolicyRuleCount the number of values for the specified Attribute

EntityAttributeExactMatch

PolicyRuleExact match against <mdattr:EntityAttributes> extension attributes ("tags") found in an attribute recipient's SAML metadata

EntityAttributeRegexMatch

PolicyRuleRegular expression match against <mdattr:EntityAttributes> extension attributes ("tags") found in an attribute recipient's SAML metadata

NameIDFormatExactMatch

PolicyRule

Compare against <NameIDFormat> element's inside the attribute recipient's SAML metadata

InEntityGroup

PolicyRuleCheck the attribute recipient's SAML metadata for a matching <EntitiesDescriptor>

AttributeScopeMatchesShibMDScope
AttributeValueMatchesShibMDScope
AttributeIssuerRegistrationAuthority


Not implemented

RegistrationAuthority

PolicyRuleMatch against the <rpi:RegistrationInfo> extension in an attribute recipient's SAML metadata

AttributeInMetadata

MatcherMatch attribute values against <RequestedAttribute> elements associated with an <AttributeConsumingService> in an attribute recipient's SAML metadata, using just in time conversion

MappedAttributeInMetadata

MatcherMatch attribute values against <RequestedAttribute> elements associated with an <AttributeConsumingService> in an attribute recipient's SAML metadata, after having applied an attribute decoding/mapping translation from SAML into internal IdPAttribute form
  • No labels