Page tree
Skip to end of metadata
Go to start of metadata


Identified by type="XML", this AttributeFilter implements an XML-based rule syntax for filtering attributes that was forked off from the original filtering language that was designed for the V2 IdP software. The best link to it for the moment is to the old docs because the V3 language has significantly drifted.

This filter's configuration is implemented as a reloadable XML resource, which means that the XML content can be supplied inline, in a local file, or a remote file, and can be monitored for changes and reloaded on the fly. The root of the XML in any of those cases MUST be an <afp:AttributeFilterPolicyGroup> element, either as a child element in an existing file or the root of a different file (usually the latter).

General Configuration

Not a lot, this continues to point back to the old V2 IdP software docs for the moment. The main point of divergence with the V3 IdP is the collapsing of namespaces and shortening of some of the function plugin names, which was not backported to the SP.


This page refers to several different namespaces by convention as detailed below:






The Shibboleth attribute filter rules namespace


The "basic" Shibboleth attribute filter rules namespace
samlurn:mace:shibboleth:2.0:afp:mf:samlThe "SAML" attribute filter rules namespace
urn:mace:shibboleth:3.0:native:sp:configThe Shibboleth SP configuration namespace


Aside from the type="XML" attribute itself, there is no other attribute content specific to this plugin type.

It supports all of the attributes common to all reloadable configuration resources:

Identifies the component for logging purposes.

Remote location of an XML resource containing the required configuration. The SP does not verify the transport (i.e. it does not verify the X.509 certificate presented by the remote server when HTTPS is the transport).

local path

Path to a local file containing the required configuration

booleanfalseIf true, XML validation is performed when loading the resource
booleantrueIf a path attribute is used, the local file is monitored for changes and reloaded dynamically. This incurs some runtime overhead for locking, so should be disabled if not needed.
time in seconds0If a url attribute is used, this attribute sets the time between attempts to download a fresh copy of the resource. If 0 (the default), no reloading occurs. This incurs some runtime overhead for locking, so should be left at 0 if not needed

Synonym for maxRefreshDelay

local path
If a url attribute is used, the downloaded resource is copied to this location. If the software is started and the remote resource is unavailable or invalid, the backing file is loaded instead
local path
Path to a certificate containing a public key to use to require and verify an XML signature over the resource. The certificate's other content is ignored.
If present, the name is supplied to the <TrustEngine> used to verify an XML signature over the resource. A certificate containing the name must be available in the verification process (typically inside the signature).

Child Elements

The following child element must be provided, either inline, or as the root element of a local or remote XML resource to load from, which would be specified via the attribute(s) above.

<afp:AttributeFilterPolicyGroup>1Root element of configuration

When a non-inline configuration is used, it supports the following child elements common to all reloadable configuration resources.

These child elements are typically only used when relying on a remote configuration resource and are for advanced use cases.





0 or 1Used to require the presence of a top-level signature over the entire resource and to control the verification process


0 or 1

Used to require the presence of a top-level signature over the entire resource and to control the verification process.

Mutually exclusive with the <TrustEngine> element and the certificate attribute.


0 or moreProvides low-level control over the library used to remotely access the resource


Inline Attribute Filter
<config:AttributeFilter type="XML">

	<!-- Shared rule for affiliation values. -->
	    <afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
    	    <basic:Rule xsi:type="basic:AttributeValueString" value="faculty"/>
        	<basic:Rule xsi:type="basic:AttributeValueString" value="student"/>
	        <basic:Rule xsi:type="basic:AttributeValueString" value="staff"/>
    	    <basic:Rule xsi:type="basic:AttributeValueString" value="alum"/>
        	<basic:Rule xsi:type="basic:AttributeValueString" value="member"/>
	        <basic:Rule xsi:type="basic:AttributeValueString" value="affiliate"/>
    	    <basic:Rule xsi:type="basic:AttributeValueString" value="employee"/>
        	<basic:Rule xsi:type="basic:AttributeValueString" value="library-walk-in"/>
<config:AttributeFilter type="XML">
External Attribute filter
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

The best example to this point is the file shipped with the software.

  • No labels