Page tree
Skip to end of metadata
Go to start of metadata


The ScopeRegex (basic:AttributeScopeRegex prior to V3.2) type matches attributes values against the supplied Java Regular Expression.

Confusingly, the ScopeRegex type can be a Matcher or a PolicyRequirement.

  • If no attributeID attribute is specified then it is a Matcher (returning that value if it is present amongst the values, and the empty set otherwise)
  • If an attributeID attribute is specified then it is a PolicyRule (returning true if that that is present amongst the values for the specified attribute).

Schema Name

The ScopeRegex type is defined in the urn:mace:shibboleth:2.0:afp namespace, the schema for which can be located at

The deprecated basic:AttributeScopeRegex type was defined in the urn:mace:shibboleth:shibboleth:2.0:afp:basic namespace, the schema for which can be found at


Three attributes may be specified

attributeID StringnoneIf this is present, then this is a PolicyRule returning true if the corresponding attribute exists and contains a value that matches.
If this is not present, then this is a Matcher returning any value that matches, and the empty set otherwise.
regexPatternrequiredThe regular expression to match against

Child Elements



Simple Profile Policy
<afp:PolicyRequirementRule xsi:type="AttributeScopeRegex" regex="^.*\.edu$" attributeID="EPSA"/>

Apply this rule if the attribute "EPSA" contains at least one scope value whose scope ends .edu.

Simple Matcher
<AttributeRule attributeID="uid">
   <PermitValueRule xsi:type="ScopeRegex" regex="^.*\.edu$" />

Add any scoped values of the attribute "uid" with scope ending ".edu" to its permitted values list.

Compound PolicyRule (deprecated)
<afp:PolicyRequirementRule xsi:type="AttributeScopeRegex" regex="^.*\.edu$"/>

Apply this rule if any attribute contains a scope value whose scope ends .edu

Compound Matcher (deprecated)
<AttributeRule attributeID="email">
   <PermitValueRule xsi:type="ScopeRegex" regex="^.*\.edu$" attributeID="EPSA"/>

If the attribute "epsa" contains any scoped which starts ends .edu then release all values of "email" .

  • No labels