1 <afp:AttributeFilterPolicyGroup
2 xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"
3 xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
4 xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
5 xmlns:afp="urn:mace:shibboleth:2.0:afp"
6 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
8 <!-- Shared rule for affiliation values. -->
9 <afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
10 <Rule xsi:type="AttributeValueString" value="faculty"/>
11 <Rule xsi:type="AttributeValueString" value="student"/>
12 <Rule xsi:type="AttributeValueString" value="staff"/>
13 <Rule xsi:type="AttributeValueString" value="alum"/>
14 <Rule xsi:type="AttributeValueString" value="member"/>
15 <Rule xsi:type="AttributeValueString" value="affiliate"/>
16 <Rule xsi:type="AttributeValueString" value="employee"/>
17 <Rule xsi:type="AttributeValueString" value="library-walk-in"/>
18 </afp:PermitValueRule>
21 Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
22 an AttributeRule for each attribute you want to check.
24 <afp:PermitValueRule id="ScopingRules" xsi:type="AND">
26 <Rule xsi:type="AttributeValueRegex" regex="@"/>
28 <Rule xsi:type="saml:AttributeScopeMatchesShibMDScope"/>
29 </afp:PermitValueRule>
31 <afp:AttributeFilterPolicy>
32 <!-- This policy is in effect in all cases. -->
33 <afp:PolicyRequirementRule xsi:type="ANY"/>
35 <!-- Filter out undefined affiliations and ensure only one primary. -->
36 <afp:AttributeRule attributeID="affiliation">
37 <afp:PermitValueRule xsi:type="AND">
38 <RuleReference ref="eduPersonAffiliationValues"/>
39 <RuleReference ref="ScopingRules"/>
40 </afp:PermitValueRule>
42 <afp:AttributeRule attributeID="unscoped-affiliation">
43 <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
45 <afp:AttributeRule attributeID="primary-affiliation">
46 <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
49 <afp:AttributeRule attributeID="eppn">
50 <afp:PermitValueRuleReference ref="ScopingRules"/>
53 <afp:AttributeRule attributeID="targeted-id">
54 <afp:PermitValueRuleReference ref="ScopingRules"/>
57 <!-- Require NameQualifier/SPNameQualifier match IdP and SP entityID respectively. -->
58 <afp:AttributeRule attributeID="persistent-id">
59 <afp:PermitValueRule xsi:type="saml:NameIDQualifierString"/>
62 <!-- Catch-all that passes everything else through unmolested. -->
63 <afp:AttributeRule attributeID="*">
64 <afp:PermitValueRule xsi:type="ANY"/>
67 </afp:AttributeFilterPolicy>
69 </afp:AttributeFilterPolicyGroup>