Page tree
Skip to end of metadata
Go to start of metadata

Overview

The InEntityGroup type is a PolicyRule that returns true if the Name of any of the surrounding <EntitiesDescriptor> metadata of the requester matches the supplied parameter.

As of V3.4, this is extended to include a matching <AffiliationDescriptor> membership.

Membership in a InEntityGroup is rarely an effective way of making policy decisions. In general, base your attribute release policy on the characteristics of entity metadata only: SP entityID, entity attributes, and registration info. Avoid policy based on the characteristics of the aggregate itself. If you do rely on groups, use the <AffiliationDescriptor> mechanism, supported in V3.4 and up.

Schema Type and Location

The InEntityGroup  type is defined in the urn:mace:shibboleth:2.0:afp namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd

The deprecated saml:InEntityGroup type is defined in the urn:mace:shibboleth:2.0:afp:mf:saml namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-saml.xsd

Reference

Attributes

NameTypeReq?DefaultDescription
groupID                   StringY
The<EntitiesDescriptor> Name to match against (or in V3.4+, a matching <AffiliationDescriptor>)
checkAffiliations 3.4Boolean
falseWhether to check metadata for <AffiliationDescriptor>-based matches

Child Elements

None

Example

Apply this rule if the entity for the SP is included in an <EntitiesDescriptor> or <AffiliationDescriptor> named urn:mace:example.org

<PolicyRequirementRule xsi:type="InEntityGroup" groupID="urn:mace:example.org" checkAffiliatons="true"/>
  • No labels