Page tree

Previous Stable Release

Please note that the V3 release branch is now the previous stable release, with the current stable releases from the V4 branch.
Support for V3 will end on Dec 31, 2020.

Skip to end of metadata
Go to start of metadata

Overview

The InEntityGroup type is a PolicyRule that returns true if the Name of any of the surrounding <EntitiesDescriptor> metadata of the requester matches the supplied parameter.

As of V3.4, this is extended to include a matching <AffiliationDescriptor> membership.

Membership in a InEntityGroup is rarely an effective way of making policy decisions. In general, base your attribute release policy on the characteristics of entity metadata only: SP entityID, entity attributes, and registration info. Avoid policy based on the characteristics of the aggregate itself. If you do rely on groups, use the <AffiliationDescriptor> mechanism, supported in V3.4 and up.

Schema Type and Location

The InEntityGroup  type is defined in the urn:mace:shibboleth:2.0:afp namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd

The deprecated saml:InEntityGroup type is defined in the urn:mace:shibboleth:2.0:afp:mf:saml namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-saml.xsd

Reference

Attributes

NameTypeReq?DefaultDescription
groupID                   StringY
The<EntitiesDescriptor> Name to match against (or in V3.4+, a matching <AffiliationDescriptor>)
checkAffiliations 3.4Boolean
falseWhether to check metadata for <AffiliationDescriptor>-based matches

Child Elements

None

Example

Apply this rule if the entity for the SP is included in an <EntitiesDescriptor> or <AffiliationDescriptor> named urn:mace:example.org

<PolicyRequirementRule xsi:type="InEntityGroup" groupID="urn:mace:example.org" checkAffiliatons="true"/>
  • No labels