InEntityGroup type is a PolicyRule that returns true if the Name of any of the surrounding
<EntitiesDescriptor> metadata of the requester matches the supplied parameter.
As of V3.4, this is extended to include a matching
Membership in a
InEntityGroup is rarely an effective way of making policy decisions. In general, base your attribute release policy on the characteristics of entity metadata only: SP entityID, entity attributes, and registration info. Avoid policy based on the characteristics of the aggregate itself. If you do rely on groups, use the
<AffiliationDescriptor> mechanism, supported in V3.4 and up.
Schema Type and Location
InEntityGroup type is defined in the
urn:mace:shibboleth:2.0:afp namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd
saml:InEntityGroup type is defined in the
urn:mace:shibboleth:2.0:afp:mf:saml namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-saml.xsd
|checkAffiliations 3.4||Boolean||false||Whether to check metadata for |
Apply this rule if the entity for the SP is included in an