1 <afp:AttributeFilterPolicyGroup
2 xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"
3 xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
4 xmlns:afp="urn:mace:shibboleth:2.0:afp"
5 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
7 <!-- Shared rule for affiliation values. -->
8 <afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
9 <Rule xsi:type="AttributeValueString" value="faculty"/>
10 <Rule xsi:type="AttributeValueString" value="student"/>
11 <Rule xsi:type="AttributeValueString" value="staff"/>
12 <Rule xsi:type="AttributeValueString" value="alum"/>
13 <Rule xsi:type="AttributeValueString" value="member"/>
14 <Rule xsi:type="AttributeValueString" value="affiliate"/>
15 <Rule xsi:type="AttributeValueString" value="employee"/>
16 <Rule xsi:type="AttributeValueString" value="library-walk-in"/>
17 </afp:PermitValueRule>
20 Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
21 an AttributeRule for each attribute you want to check.
23 <afp:PermitValueRule id="ScopingRules" xsi:type="AND">
25 <Rule xsi:type="AttributeValueRegex" regex="@"/>
27 <Rule xsi:type="saml:AttributeScopeMatchesShibMDScope" xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"/>
28 </afp:PermitValueRule>
30 <afp:AttributeFilterPolicy>
31 <!-- This policy is in effect in all cases. -->
32 <afp:PolicyRequirementRule xsi:type="ANY"/>
34 <!-- Filter out undefined affiliations and ensure only one primary. -->
35 <afp:AttributeRule attributeID="affiliation">
36 <afp:PermitValueRule xsi:type="AND">
37 <RuleReference ref="eduPersonAffiliationValues"/>
38 <RuleReference ref="ScopingRules"/>
39 </afp:PermitValueRule>
41 <afp:AttributeRule attributeID="unscoped-affiliation">
42 <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
44 <afp:AttributeRule attributeID="primary-affiliation">
45 <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
48 <afp:AttributeRule attributeID="eppn">
49 <afp:PermitValueRuleReference ref="ScopingRules"/>
52 <afp:AttributeRule attributeID="targeted-id">
53 <afp:PermitValueRuleReference ref="ScopingRules"/>
56 <!-- Catch-all that passes everything else through unmolested. -->
57 <afp:AttributeRule attributeID="*">
58 <afp:PermitValueRule xsi:type="ANY"/>
61 </afp:AttributeFilterPolicy>
63 </afp:AttributeFilterPolicyGroup>