configs/attribute-policy.xml

   1 <afp:AttributeFilterPolicyGroup
   2     xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"
   3     xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
   4     xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
   5     xmlns:afp="urn:mace:shibboleth:2.0:afp"
   6     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   7
   8     <!-- Shared rule for affiliation values. -->
   9     <afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
  10         <Rule xsi:type="AttributeValueString" value="faculty"/>
  11         <Rule xsi:type="AttributeValueString" value="student"/>
  12         <Rule xsi:type="AttributeValueString" value="staff"/>
  13         <Rule xsi:type="AttributeValueString" value="alum"/>
  14         <Rule xsi:type="AttributeValueString" value="member"/>
  15         <Rule xsi:type="AttributeValueString" value="affiliate"/>
  16         <Rule xsi:type="AttributeValueString" value="employee"/>
  17         <Rule xsi:type="AttributeValueString" value="library-walk-in"/>
  18     </afp:PermitValueRule>
  19
  20     <!--
  21     Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
  22     an AttributeRule for each attribute you want to check.
  23     -->
  24     <afp:PermitValueRule id="ScopingRules" xsi:type="AND">
  25         <Rule xsi:type="NOT">
  26             <Rule xsi:type="AttributeValueRegex" regex="@"/>
  27         </Rule>
  28         <Rule xsi:type="saml:AttributeScopeMatchesShibMDScope"/>
  29     </afp:PermitValueRule>
  30
  31     <afp:AttributeFilterPolicy>
  32         <!-- This policy is in effect in all cases. -->
  33         <afp:PolicyRequirementRule xsi:type="ANY"/>
  34
  35         <!-- Filter out undefined affiliations and ensure only one primary. -->
  36         <afp:AttributeRule attributeID="affiliation">
  37             <afp:PermitValueRule xsi:type="AND">
  38                 <RuleReference ref="eduPersonAffiliationValues"/>
  39                 <RuleReference ref="ScopingRules"/>
  40             </afp:PermitValueRule>
  41         </afp:AttributeRule>
  42         <afp:AttributeRule attributeID="unscoped-affiliation">
  43             <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
  44         </afp:AttributeRule>
  45         <afp:AttributeRule attributeID="primary-affiliation">
  46             <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
  47         </afp:AttributeRule>
  48
  49         <afp:AttributeRule attributeID="eppn">
  50             <afp:PermitValueRuleReference ref="ScopingRules"/>
  51         </afp:AttributeRule>
  52
  53         <afp:AttributeRule attributeID="targeted-id">
  54             <afp:PermitValueRuleReference ref="ScopingRules"/>
  55         </afp:AttributeRule>
  56
  57         <!-- Require NameQualifier/SPNameQualifier match IdP and SP entityID respectively. -->
  58         <afp:AttributeRule attributeID="persistent-id">
  59             <afp:PermitValueRule xsi:type="saml:NameIDQualifierString"/>
  60         </afp:AttributeRule>
  61
  62         <!-- Catch-all that passes everything else through unmolested. -->
  63         <afp:AttributeRule attributeID="*">
  64             <afp:PermitValueRule xsi:type="ANY"/>
  65         </afp:AttributeRule>
  66
  67     </afp:AttributeFilterPolicy>
  68
  69 </afp:AttributeFilterPolicyGroup>