+<afp:AttributeFilterPolicyGroup
+ xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"
+ xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
+ xmlns:afp="urn:mace:shibboleth:2.0:afp"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:mace:shibboleth:2.0:afp @-PKGXMLDIR-@/shibboleth-2.0-afp.xsd urn:mace:shibboleth:2.0:afp:mf:basic @-PKGXMLDIR-@/shibboleth-2.0-afp-mf-basic.xsd urn:mace:shibboleth:2.0:afp:mf:saml @-PKGXMLDIR-@/shibboleth-2.0-afp-mf-saml.xsd">
+
+ <!-- Shared rule for affiliation values. -->
+ <afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
+ <Rule xsi:type="AttributeValueString" value="faculty"/>
+ <Rule xsi:type="AttributeValueString" value="student"/>
+ <Rule xsi:type="AttributeValueString" value="staff"/>
+ <Rule xsi:type="AttributeValueString" value="alum"/>
+ <Rule xsi:type="AttributeValueString" value="member"/>
+ <Rule xsi:type="AttributeValueString" value="affiliate"/>
+ <Rule xsi:type="AttributeValueString" value="employee"/>
+ </afp:PermitValueRule>
+
+ <!--
+ Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
+ an AttributeRule for each attribute you want to check.
+ -->
+ <afp:PermitValueRule id="ScopingRules" xsi:type="AND">
+ <Rule xsi:type="NOT">
+ <Rule xsi:type="AttributeValueRegex" regex="@"/>
+ </Rule>
+ <Rule xsi:type="saml:AttributeScopeMatchesShibMDScope" xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"/>
+ </afp:PermitValueRule>
+
+ <afp:AttributeFilterPolicy>
+ <!-- This policy is in effect in all cases. -->
+ <afp:PolicyRequirementRule xsi:type="ANY"/>
+
+ <!-- Filter out undefined affiliations and ensure only one primary. -->
+ <afp:AttributeRule attributeID="affiliation">
+ <afp:PermitValueRule xsi:type="AND">
+ <RuleReference ref="eduPersonAffiliationValues"/>
+ <RuleReference ref="ScopingRules"/>
+ </afp:PermitValueRule>
+ </afp:AttributeRule>
+ <afp:AttributeRule attributeID="unscoped-affiliation">
+ <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
+ </afp:AttributeRule>
+ <afp:AttributeRule attributeID="primary-affiliation">
+ <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
+ </afp:AttributeRule>
+
+ <afp:AttributeRule attributeID="eppn">
+ <afp:PermitValueRuleReference ref="ScopingRules"/>
+ </afp:AttributeRule>
+
+ <afp:AttributeRule attributeID="targeted-id">
+ <afp:PermitValueRuleReference ref="ScopingRules"/>
+ </afp:AttributeRule>
+
+ <!-- Catch-all that passes everything else through unmolested. -->
+ <afp:AttributeRule attributeID="*">
+ <afp:PermitValueRule xsi:type="ANY"/>
+ </afp:AttributeRule>
+
+ </afp:AttributeFilterPolicy>
+
+</afp:AttributeFilterPolicyGroup>