Page tree

Previous Stable Release

Please note that the V3 release branch is now the previous stable release, with the current stable releases from the V4 branch.
Support for V3 will end on Dec 31, 2020.

Skip to end of metadata
Go to start of metadata


The ScopeRegex (basic:AttributeScopeRegex prior to V3.2) type matches attributes values against the supplied Java Regular Expression.

Confusingly, the ScopeRegex type can be a Matcher or a PolicyRequirement.

  • If no attributeID attribute is specified then it is a Matcher (returning that value if it is present amongst the values, and the empty set otherwise)
  • If an attributeID attribute is specified then it is a PolicyRule (returning true if that that is present amongst the values for the specified attribute).

Schema Name

The ScopeRegex type is defined in the urn:mace:shibboleth:2.0:afp namespace, the schema for which can be located at

The deprecated basic:AttributeScopeRegex type was defined in the urn:mace:shibboleth:shibboleth:2.0:afp:basic namespace, the schema for which can be found at


Three attributes may be specified

attributeID StringnoneIf this is present, then this is a PolicyRule returning true if the corresponding attribute exists and contains a value that matches.
If this is not present, then this is a Matcher returning any value that matches, and the empty set otherwise.
regexPatternrequiredThe regular expression to match against

Child Elements



Simple Profile Policy
<afp:PolicyRequirementRule xsi:type="AttributeScopeRegex" regex="^.*\.edu$" attributeID="EPSA"/>

Apply this rule if the attribute "EPSA" contains at least one scope value whose scope ends .edu.

Simple Matcher
<AttributeRule attributeID="uid">
   <PermitValueRule xsi:type="ScopeRegex" regex="^.*\.edu$" />

Add any scoped values of the attribute "uid" with scope ending ".edu" to its permitted values list.

Compound PolicyRule (deprecated)
<afp:PolicyRequirementRule xsi:type="AttributeScopeRegex" regex="^.*\.edu$"/>

Apply this rule if any attribute contains a scope value whose scope ends .edu

Compound Matcher (deprecated)
<AttributeRule attributeID="email">
   <PermitValueRule xsi:type="ScopeRegex" regex="^.*\.edu$" attributeID="EPSA"/>

If the attribute "epsa" contains any scoped which starts ends .edu then release all values of "email" .

  • No labels