Page tree

Previous Stable Release

Please note that the V3 release branch is now the previous stable release, with the current stable releases from the V4 branch.
Support for V3 will end on Dec 31, 2020.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »


The basic:Script type allows definition of complex filtering by defining an ECMA script is a either a Mapper or a PolicyRule depending on the location.  The script has define either a Policy Rule or a Mapper depending on its location

  • If the script is specified within the scope of an <AttributeRule> element then the script has to be Mapper, returning a java.util.Set<AttributeValue>, which is added to the permit or deny list for the attribute in questione
  • If the script  is specified within the scope of a <PolicyRequirementRule>element then the script has to be a PolicyRule  (returning a java.lang.Boolean), whuich defines whether the rule is active or not.

Schema Name

The basic:AttributeScript  type is defined by the urn:mace:shibboleth:2.0:afp:mf:basic schema, which can be located at


One attributes may be specified

langStringjavascriptThe ECMA language that the script is in

Child Elements

One of two child elements can be provided

<basc:ScriptFile> The path of a resource (usually a file) which contains the script
<basic:Script> The script. It is usual to specify this within a CDATA

Data available to the script

The script has the following variables available

filterContext AttributeFilterContextThe AttributeFilter context provides some information about the request, and a mechanism to navigate to other contexts

The root context for the request

attribute (Matcher Only)AttributeThe attribute being filtered


Inline Matcher
<afp:AttributeRule attributeID="email">
	<afp:PermitValueRule xsi:type="basic:Script">
            hashSetType = Java.type("java.util.HashSet");
            result = new hashSetType();

This simple rule just adds the first value of the attribute "email" to its permit list.

Externally specified PolicyRule
<afp:AttributeFilterPolicy id="Example">
	<afp:PolicyRequirementRule xsi:type="basic:Script" language="JavaScript">
Simple JavaScript PolicyRule
boolType = Java.type("java.lang.Boolean");
if (/* Some sort of condition */) {
  result = new boolType(false);
} else {
  result = new boolType(true);

V2 Compatibility

No compatibility with V2 is provided..

  • No labels