1 <AttributeAcceptancePolicy xmlns="urn:mace:shibboleth:1.0"
2 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
3 xsi:schemaLocation="urn:mace:shibboleth:1.0 @-PKGXMLDIR-@/shibboleth.xsd">
6 An AAP is a set of AttributeRule elements, each one
7 referencing a specific attribute by URI. All attributes that
8 should be visible to an application running at the target should
9 be listed, or they will be filtered out.
11 The Header and Alias attributes map an attribute to an HTTP header
12 and to an htaccess rule name respectively. Without Header, the attribute
13 will only be obtainable from the exported SAML assertion in raw XML.
15 Scoped attributes can also be filtered on Scope via rules in the
16 asserting identity provider's metadata.
18 Finally, a note on naming. The attributes in this file are mostly drawn from
19 the set documented here:
21 http://middleware.internet2.edu/urn-mace/urn-mace-dir-attribute-def.html
23 The actual naming convention most of them follow is NOT to be used for
24 any subsequent attributes bound to SAML, and you are NOT free to just
25 make up names using it, because the urn:mace:dir namespace tree is
26 controlled. For help and advice on defining new attributes, refer to:
28 https://spaces.internet2.edu/display/SHIB/AttributeNaming
31 <!-- First some useful eduPerson attributes that many sites might use. -->
33 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" Scoped="true" CaseSensitive="false" Header="Shib-EP-Affiliation" Alias="affiliation">
34 <!-- Filtering rule to limit values to eduPerson-defined enumeration. -->
37 <Value>FACULTY</Value>
38 <Value>STUDENT</Value>
41 <Value>AFFILIATE</Value>
42 <Value>EMPLOYEE</Value>
45 <!-- Example of Scope rule to override site metadata. -->
46 <SiteRule Name="urn:mace:inqueue:shibdev.edu">
47 <Scope Accept="false">shibdev.edu</Scope>
48 <Scope Type="regexp">^.+\.shibdev\.edu$</Scope>
53 This attribute is provided mostly to ease testing because an IdP out of the box only
54 sends the unscoped version. It has little use because it lacks the context needed to
55 work in a multi-domain scenario and is a subset of the scoped version anyway.
57 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonAffiliation" CaseSensitive="false" Header="Shib-EP-UnscopedAffiliation" Alias="unscoped-affiliation">
60 <Value>FACULTY</Value>
61 <Value>STUDENT</Value>
64 <Value>AFFILIATE</Value>
65 <Value>EMPLOYEE</Value>
69 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" Scoped="true" Header="REMOTE_USER" Alias="user">
70 <!-- Basic rule to pass through any value. -->
72 <Value Type="regexp">^[^@]+$</Value>
76 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonEntitlement" Header="Shib-EP-Entitlement" Alias="entitlement">
77 <!-- Entitlements tend to be filtered per-site. -->
80 Optional site rule that applies to any site
82 <Value>urn:mace:example.edu:exampleEntitlement</Value>
86 <!-- Specific rules for an origin site, these are just development/sample sites. -->
87 <SiteRule Name="urn:mace:inqueue:example.edu">
88 <Value Type="regexp">^urn:mace:.+$</Value>
90 <SiteRule Name="urn:mace:inqueue:shibdev.edu">
91 <Value Type="regexp">^urn:mace:.+$</Value>
95 <!-- A persistent id attribute that supports personalized anonymous access. -->
97 <!-- First, the deprecated version: -->
98 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonTargetedID" Scoped="true" Header="Shib-TargetedID" Alias="targeted_id">
104 <!-- Second, the new version (note the OID-style name): -->
105 <AttributeRule Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" Header="Shib-TargetedID" Alias="targeted_id">
111 <!-- Some more eduPerson attributes, uncomment these to use them... -->
114 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonNickname">
120 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" CaseSensitive="false" Header="Shib-EP-PrimaryAffiliation">
122 <Value>MEMBER</Value>
123 <Value>FACULTY</Value>
124 <Value>STUDENT</Value>
127 <Value>AFFILIATE</Value>
128 <Value>EMPLOYEE</Value>
132 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" Header="Shib-EP-PrimaryOrgUnitDN">
138 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" Header="Shib-EP-OrgUnitDN">
144 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonOrgDN" Header="Shib-EP-OrgDN">
153 <!--Examples of common LDAP-based attributes, uncomment to use these... -->
156 <AttributeRule Name="urn:mace:dir:attribute-def:cn" Header="Shib-Person-commonName">
162 <AttributeRule Name="urn:mace:dir:attribute-def:sn" Header="Shib-Person-surname">
168 <AttributeRule Name="urn:mace:dir:attribute-def:mail" Header="Shib-InetOrgPerson-mail">
174 <AttributeRule Name="urn:mace:dir:attribute-def:telephoneNumber" Header="Shib-Person-telephoneNumber">
180 <AttributeRule Name="urn:mace:dir:attribute-def:title" Header="Shib-OrgPerson-title">
186 <AttributeRule Name="urn:mace:dir:attribute-def:initials" Header="Shib-InetOrgPerson-initials">
192 <AttributeRule Name="urn:mace:dir:attribute-def:description" Header="Shib-Person-description">
198 <AttributeRule Name="urn:mace:dir:attribute-def:carLicense" Header="Shib-InetOrgPerson-carLicense">
204 <AttributeRule Name="urn:mace:dir:attribute-def:departmentNumber" Header="Shib-InetOrgPerson-deptNum">
210 <AttributeRule Name="urn:mace:dir:attribute-def:displayName" Header="Shib-InetOrgPerson-displayName">
216 <AttributeRule Name="urn:mace:dir:attribute-def:employeeNumber" Header="Shib-InetOrgPerson-employeeNum">
222 <AttributeRule Name="urn:mace:dir:attribute-def:employeeType" Header="Shib-InetOrgPerson-employeeType">
228 <AttributeRule Name="urn:mace:dir:attribute-def:preferredLanguage" Header="Shib-InetOrgPerson-prefLang">
234 <AttributeRule Name="urn:mace:dir:attribute-def:manager" Header="Shib-InetOrgPerson-manager">
240 <AttributeRule Name="urn:mace:dir:attribute-def:roomNumber" Header="Shib-InetOrgPerson-roomNum">
246 <AttributeRule Name="urn:mace:dir:attribute-def:seeAlso" Header="Shib-OrgPerson-seeAlso">
252 <AttributeRule Name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" Header="Shib-OrgPerson-fax">
258 <AttributeRule Name="urn:mace:dir:attribute-def:street" Header="Shib-OrgPerson-street">
264 <AttributeRule Name="urn:mace:dir:attribute-def:postOfficeBox" Header="Shib-OrgPerson-POBox">
270 <AttributeRule Name="urn:mace:dir:attribute-def:postalCode" Header="Shib-OrgPerson-postalCode">
276 <AttributeRule Name="urn:mace:dir:attribute-def:st" Header="Shib-OrgPerson-state">
282 <AttributeRule Name="urn:mace:dir:attribute-def:givenName" Header="Shib-InetOrgPerson-givenName">
288 <AttributeRule Name="urn:mace:dir:attribute-def:l" Header="Shib-OrgPerson-locality">
294 <AttributeRule Name="urn:mace:dir:attribute-def:businessCategory" Header="Shib-InetOrgPerson-businessCat">
300 <AttributeRule Name="urn:mace:dir:attribute-def:ou" Header="Shib-OrgPerson-orgUnit">
306 <AttributeRule Name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" Header="Shib-OrgPerson-OfficeName">
314 </AttributeAcceptancePolicy>