From 7fac2e62afd540b4c762bb39d53778a9de2ed309 Mon Sep 17 00:00:00 2001
From: Scott Cantor <cantor.2@osu.edu>
Date: Thu, 5 May 2016 15:45:17 -0400
Subject: [PATCH] SSPCPP-677 - Filter schacHomeOrganization values against
 shibmd:Scope

https://issues.shibboleth.net/jira/browse/SSPCPP-677

AttributeValueMatchesShibMDScope function type added to code and schema.
schacHomeOrganization added to policy and (commented out) to map.
---
 Projects/vc10/shibsp/shibsp.vcxproj                |   2 +-
 Projects/vc10/shibsp/shibsp.vcxproj.filters        |   6 +-
 configs/attribute-map.xml                          | 109 +++++++++++----------
 configs/attribute-policy.xml                       |   5 +
 schemas/shibboleth-2.0-afp-mf-saml.xsd             |  11 +++
 shibsp/Makefile.am                                 |   2 +-
 shibsp/attribute/filtering/MatchFunctor.h          |   5 +-
 ....cpp => AttributeMatchesShibMDScopeFunctor.cpp} |  40 ++++++--
 shibsp/attribute/filtering/impl/MatchFunctor.cpp   |   4 +
 9 files changed, 117 insertions(+), 67 deletions(-)
 rename shibsp/attribute/filtering/impl/{AttributeScopeMatchesShibMDScopeFunctor.cpp => AttributeMatchesShibMDScopeFunctor.cpp} (73%)

diff --git a/Projects/vc10/shibsp/shibsp.vcxproj b/Projects/vc10/shibsp/shibsp.vcxproj
index daf761a..16ac9cd 100644
--- a/Projects/vc10/shibsp/shibsp.vcxproj
+++ b/Projects/vc10/shibsp/shibsp.vcxproj
@@ -251,7 +251,7 @@
     <ClCompile Include="..\..\..\shibsp\attribute\filtering\impl\AttributeRequesterInEntityGroupFunctor.cpp" />
     <ClCompile Include="..\..\..\shibsp\attribute\filtering\impl\AttributeRequesterRegexFunctor.cpp" />
     <ClCompile Include="..\..\..\shibsp\attribute\filtering\impl\AttributeRequesterStringFunctor.cpp" />
-    <ClCompile Include="..\..\..\shibsp\attribute\filtering\impl\AttributeScopeMatchesShibMDScopeFunctor.cpp" />
+    <ClCompile Include="..\..\..\shibsp\attribute\filtering\impl\AttributeMatchesShibMDScopeFunctor.cpp" />
     <ClCompile Include="..\..\..\shibsp\attribute\filtering\impl\AttributeScopeRegexFunctor.cpp" />
     <ClCompile Include="..\..\..\shibsp\attribute\filtering\impl\AttributeScopeStringFunctor.cpp" />
     <ClCompile Include="..\..\..\shibsp\attribute\filtering\impl\AttributeValueRegexFunctor.cpp" />
diff --git a/Projects/vc10/shibsp/shibsp.vcxproj.filters b/Projects/vc10/shibsp/shibsp.vcxproj.filters
index 929c38e..0552dce 100644
--- a/Projects/vc10/shibsp/shibsp.vcxproj.filters
+++ b/Projects/vc10/shibsp/shibsp.vcxproj.filters
@@ -141,9 +141,6 @@
     <ClCompile Include="..\..\..\shibsp\attribute\filtering\impl\AttributeRequesterStringFunctor.cpp">
       <Filter>Source Files\attribute\filtering\impl</Filter>
     </ClCompile>
-    <ClCompile Include="..\..\..\shibsp\attribute\filtering\impl\AttributeScopeMatchesShibMDScopeFunctor.cpp">
-      <Filter>Source Files\attribute\filtering\impl</Filter>
-    </ClCompile>
     <ClCompile Include="..\..\..\shibsp\attribute\filtering\impl\AttributeScopeRegexFunctor.cpp">
       <Filter>Source Files\attribute\filtering\impl</Filter>
     </ClCompile>
@@ -429,6 +426,9 @@
     <ClCompile Include="..\..\..\shibsp\attribute\filtering\impl\RegistrationAuthorityFunctor.cpp">
       <Filter>Source Files\attribute\filtering\impl</Filter>
     </ClCompile>
+    <ClCompile Include="..\..\..\shibsp\attribute\filtering\impl\AttributeMatchesShibMDScopeFunctor.cpp">
+      <Filter>Source Files\attribute\filtering\impl</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="..\..\..\shibsp\GSSRequest.h">
diff --git a/configs/attribute-map.xml b/configs/attribute-map.xml
index c163754..febaf90 100644
--- a/configs/attribute-map.xml
+++ b/configs/attribute-map.xml
@@ -8,30 +8,30 @@
     -->
     
     <!-- First some useful eduPerson attributes that many sites might use. -->
-    
-    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
         <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
     </Attribute>
-    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName" id="eppn">
         <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
     </Attribute>
-    
-    <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
         <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
     </Attribute>
-    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" id="affiliation">
         <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
     </Attribute>
-    
-    <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
         <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
     </Attribute>
-    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation" id="unscoped-affiliation">
         <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
     </Attribute>
-    
-    <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
+
     <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement" id="entitlement"/>
 
     <!-- A persistent id attribute that supports personalized anonymous access. -->
     
@@ -60,13 +60,12 @@
     
     <!-- Some more eduPerson attributes, uncomment these to use them... -->
     <!--
-    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation">
-        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
-    </Attribute>
-    <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/>
-    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/>
-    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/>
-    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>
+    
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/>
+    
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/>
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/>
 
     <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
         <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
@@ -76,44 +75,22 @@
     <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
     <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>
 
-    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>
-    
-    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="member"/>
-    
-    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.1" id="eduCourseOffering"/>
-    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.6.1.2" id="eduCourseMember"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" id="primary-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonNickname" id="nickname"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" id="primary-orgunit-dn"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" id="orgunit-dn"/>
+    <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN" id="org-dn"/>
     -->
 
+    <!-- SCHAC attributes, uncomment to use... -->
+    <!--
+    <Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" id="schacHomeOrganization"/>
+    -->
+    
     <!-- Examples of LDAP-based attributes, uncomment to use these... -->
     <!--
-    <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
-    <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
-    <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
-    <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
-    <Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/>
-    <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
-    <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
-    <Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
-    <Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/>
-    <Attribute name="urn:mace:dir:attribute-def:description" id="description"/>
-    <Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/>
-    <Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/>
-    <Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
-    <Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/>
-    <Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/>
-    <Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/>
-    <Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/>
-    <Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/>
-    <Attribute name="urn:mace:dir:attribute-def:street" id="street"/>
-    <Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/>
-    <Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/>
-    <Attribute name="urn:mace:dir:attribute-def:st" id="st"/>
-    <Attribute name="urn:mace:dir:attribute-def:l" id="l"/>
-    <Attribute name="urn:mace:dir:attribute-def:o" id="o"/>
-    <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
-    <Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/>
-    <Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/>
-
     <Attribute name="urn:oid:2.5.4.3" id="cn"/>
     <Attribute name="urn:oid:2.5.4.4" id="sn"/>
     <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
@@ -141,6 +118,34 @@
     <Attribute name="urn:oid:2.5.4.11" id="ou"/>
     <Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
     <Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/>
+
+    <Attribute name="urn:mace:dir:attribute-def:cn" id="cn"/>
+    <Attribute name="urn:mace:dir:attribute-def:sn" id="sn"/>
+    <Attribute name="urn:mace:dir:attribute-def:givenName" id="givenName"/>
+    <Attribute name="urn:mace:dir:attribute-def:displayName" id="displayName"/>
+    <Attribute name="urn:mace:dir:attribute-def:uid" id="uid"/>
+    <Attribute name="urn:mace:dir:attribute-def:mail" id="mail"/>
+    <Attribute name="urn:mace:dir:attribute-def:telephoneNumber" id="telephoneNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:title" id="title"/>
+    <Attribute name="urn:mace:dir:attribute-def:initials" id="initials"/>
+    <Attribute name="urn:mace:dir:attribute-def:description" id="description"/>
+    <Attribute name="urn:mace:dir:attribute-def:carLicense" id="carLicense"/>
+    <Attribute name="urn:mace:dir:attribute-def:departmentNumber" id="departmentNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:employeeNumber" id="employeeNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/>
+    <Attribute name="urn:mace:dir:attribute-def:preferredLanguage" id="preferredLanguage"/>
+    <Attribute name="urn:mace:dir:attribute-def:manager" id="manager"/>
+    <Attribute name="urn:mace:dir:attribute-def:seeAlso" id="seeAlso"/>
+    <Attribute name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" id="facsimileTelephoneNumber"/>
+    <Attribute name="urn:mace:dir:attribute-def:street" id="street"/>
+    <Attribute name="urn:mace:dir:attribute-def:postOfficeBox" id="postOfficeBox"/>
+    <Attribute name="urn:mace:dir:attribute-def:postalCode" id="postalCode"/>
+    <Attribute name="urn:mace:dir:attribute-def:st" id="st"/>
+    <Attribute name="urn:mace:dir:attribute-def:l" id="l"/>
+    <Attribute name="urn:mace:dir:attribute-def:o" id="o"/>
+    <Attribute name="urn:mace:dir:attribute-def:ou" id="ou"/>
+    <Attribute name="urn:mace:dir:attribute-def:businessCategory" id="businessCategory"/>
+    <Attribute name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" id="physicalDeliveryOfficeName"/>
     -->
 
 </Attributes>
diff --git a/configs/attribute-policy.xml b/configs/attribute-policy.xml
index a2d1742..ba0449f 100644
--- a/configs/attribute-policy.xml
+++ b/configs/attribute-policy.xml
@@ -58,6 +58,11 @@
         <afp:AttributeRule attributeID="persistent-id">
             <afp:PermitValueRule xsi:type="saml:NameIDQualifierString"/>
         </afp:AttributeRule>
+        
+        <!-- Enforce that the values of schacHomeOrganization are a valid Scope. -->
+        <afp:AttributeRule attributeID="schacHomeOrganization">
+            <afp:PermitValueRule xsi:type="saml:AttributeValueMatchesShibMDScope" />
+        </afp:AttributeRule>
 
         <!-- Catch-all that passes everything else through unmolested. -->
         <afp:AttributeRule attributeID="*">
diff --git a/schemas/shibboleth-2.0-afp-mf-saml.xsd b/schemas/shibboleth-2.0-afp-mf-saml.xsd
index 86380b1..4161f58 100644
--- a/schemas/shibboleth-2.0-afp-mf-saml.xsd
+++ b/schemas/shibboleth-2.0-afp-mf-saml.xsd
@@ -247,6 +247,17 @@
         </complexContent>
     </complexType>
 
+    <complexType name="AttributeValueMatchesShibMDScope">
+        <annotation>
+            <documentation>
+                A match function that ensures that an attribute's value matches a scope given in metadata for the entity or role.
+            </documentation>
+        </annotation>
+        <complexContent>
+            <extension base="afp:MatchFunctorType" />
+        </complexContent>
+    </complexType>
+
     <complexType name="AttributeIssuerRegistrationAuthority">
         <annotation>
             <documentation>
diff --git a/shibsp/Makefile.am b/shibsp/Makefile.am
index 6e75bc7..b5dbbb4 100644
--- a/shibsp/Makefile.am
+++ b/shibsp/Makefile.am
@@ -211,7 +211,7 @@ libshibsp_la_SOURCES = \
 	attribute/filtering/impl/AttributeRequesterEntityAttributeFunctor.cpp \
 	attribute/filtering/impl/AttributeIssuerEntityMatcherFunctor.cpp \
 	attribute/filtering/impl/AttributeRequesterEntityMatcherFunctor.cpp \
-	attribute/filtering/impl/AttributeScopeMatchesShibMDScopeFunctor.cpp \
+	attribute/filtering/impl/AttributeMatchesShibMDScopeFunctor.cpp \
     attribute/filtering/impl/RegistrationAuthorityFunctor.cpp \
 	attribute/resolver/impl/ChainingAttributeResolver.cpp \
 	attribute/resolver/impl/QueryAttributeResolver.cpp \
diff --git a/shibsp/attribute/filtering/MatchFunctor.h b/shibsp/attribute/filtering/MatchFunctor.h
index 8b9ac58..9622665 100644
--- a/shibsp/attribute/filtering/MatchFunctor.h
+++ b/shibsp/attribute/filtering/MatchFunctor.h
@@ -146,9 +146,12 @@ namespace shibsp {
     /** Matches based on requester and pluggable criteria. */
     extern SHIBSP_API xmltooling::QName AttributeRequesterEntityMatcherType;
 
-    /** Matches based on metadata Scope extensions. */
+    /** Matches scope based on metadata Scope extensions. */
     extern SHIBSP_API xmltooling::QName AttributeScopeMatchesShibMDScopeType;
 
+    /** Matches value based on metadata Scope extensions. */
+    extern SHIBSP_API xmltooling::QName AttributeValueMatchesShibMDScopeType;
+
     /** Matches based on NameID NameQualifiers. */
     extern SHIBSP_API xmltooling::QName NameIDQualifierStringType;
 
diff --git a/shibsp/attribute/filtering/impl/AttributeScopeMatchesShibMDScopeFunctor.cpp b/shibsp/attribute/filtering/impl/AttributeMatchesShibMDScopeFunctor.cpp
similarity index 73%
rename from shibsp/attribute/filtering/impl/AttributeScopeMatchesShibMDScopeFunctor.cpp
rename to shibsp/attribute/filtering/impl/AttributeMatchesShibMDScopeFunctor.cpp
index c78f0b6..2d64126 100644
--- a/shibsp/attribute/filtering/impl/AttributeScopeMatchesShibMDScopeFunctor.cpp
+++ b/shibsp/attribute/filtering/impl/AttributeMatchesShibMDScopeFunctor.cpp
@@ -42,12 +42,10 @@ using namespace std;
 
 namespace shibsp {
 
-    static const XMLCh groupID[] = UNICODE_LITERAL_7(g,r,o,u,p,I,D);
-
     /**
-     * A match function that ensures that an attributes value's scope matches a scope given in metadata for the entity or role.
+     * A match function that ensures that a string matches a scope given in metadata for the entity or role.
      */
-    class SHIBSP_DLLLOCAL AttributeScopeMatchesShibMDScopeFunctor : public MatchFunctor
+    class SHIBSP_DLLLOCAL AbstractAttributeMatchesShibMDScopeFunctor : public MatchFunctor
     {
     public:
         bool evaluatePolicyRequirement(const FilteringContext& filterContext) const {
@@ -59,10 +57,10 @@ namespace shibsp {
             if (!issuer)
                 return false;
 
-            const char* scope = attribute.getScope(index);
-            if (!scope || !*scope)
+            const char* s = getStringToMatch(attribute, index);
+            if (!s || !*s)
                 return false;
-            auto_arrayptr<XMLCh> widescope(fromUTF8(scope));
+            auto_arrayptr<XMLCh> widestr(fromUTF8(s));
 
             const Scope* rule;
             const Extensions* ext = issuer->getExtensions();
@@ -70,7 +68,7 @@ namespace shibsp {
                 const vector<XMLObject*>& exts = ext->getUnknownXMLObjects();
                 for (vector<XMLObject*>::const_iterator e = exts.begin(); e != exts.end(); ++e) {
                     rule = dynamic_cast<const Scope*>(*e);
-                    if (rule && matches(*rule, widescope)) {
+                    if (rule && matches(*rule, widestr)) {
                         return true;
                     }
                 }
@@ -81,7 +79,7 @@ namespace shibsp {
                 const vector<XMLObject*>& exts = ext->getUnknownXMLObjects();
                 for (vector<XMLObject*>::const_iterator e = exts.begin(); e != exts.end(); ++e) {
                     rule = dynamic_cast<const Scope*>(*e);
-                    if (rule && matches(*rule, widescope)) {
+                    if (rule && matches(*rule, widestr)) {
                         return true;
                     }
                 }
@@ -90,6 +88,9 @@ namespace shibsp {
             return false;
         }
 
+    protected:
+        virtual const char* getStringToMatch(const Attribute& attribute, size_t index) const = 0;
+
     private:
         bool matches(const Scope& rule, auto_arrayptr<XMLCh>& scope) const {
             const XMLCh* val = rule.getValue();
@@ -106,9 +107,30 @@ namespace shibsp {
         }
     };
 
+    class AttributeScopeMatchesShibMDScopeFunctor : public AbstractAttributeMatchesShibMDScopeFunctor
+    {
+    protected:
+        const char* getStringToMatch(const Attribute& attribute, size_t index) const {
+            return attribute.getScope(index);
+        }
+    };
+
+    class AttributeValueMatchesShibMDScopeFunctor : public AbstractAttributeMatchesShibMDScopeFunctor
+    {
+    protected:
+        const char* getStringToMatch(const Attribute& attribute, size_t index) const {
+            return attribute.getString(index);
+        }
+    };
+
     MatchFunctor* SHIBSP_DLLLOCAL AttributeScopeMatchesShibMDScopeFactory(const pair<const FilterPolicyContext*,const DOMElement*>& p)
     {
         return new AttributeScopeMatchesShibMDScopeFunctor();
     }
 
+    MatchFunctor* SHIBSP_DLLLOCAL AttributeValueMatchesShibMDScopeFactory(const pair<const FilterPolicyContext*,const DOMElement*>& p)
+    {
+        return new AttributeValueMatchesShibMDScopeFunctor();
+    }
+
 };
diff --git a/shibsp/attribute/filtering/impl/MatchFunctor.cpp b/shibsp/attribute/filtering/impl/MatchFunctor.cpp
index 689989a..e69c337 100644
--- a/shibsp/attribute/filtering/impl/MatchFunctor.cpp
+++ b/shibsp/attribute/filtering/impl/MatchFunctor.cpp
@@ -72,6 +72,7 @@ namespace shibsp {
     DECL_FACTORY(AttributeIssuerEntityMatcher);
     DECL_FACTORY(AttributeRequesterEntityMatcher);
     DECL_FACTORY(AttributeScopeMatchesShibMDScope);
+    DECL_FACTORY(AttributeValueMatchesShibMDScope);
     DECL_FACTORY(NameIDQualifierString);
     DECL_FACTORY(AttributeIssuerRegistrationAuthority);
     DECL_FACTORY(RegistrationAuthority);
@@ -104,6 +105,7 @@ namespace shibsp {
     static const XMLCh AttributeIssuerEntityMatcher[] = UNICODE_LITERAL_28(A,t,t,r,i,b,u,t,e,I,s,s,u,e,r,E,n,t,i,t,y,M,a,t,c,h,e,r);
     static const XMLCh AttributeRequesterEntityMatcher[] = UNICODE_LITERAL_31(A,t,t,r,i,b,u,t,e,R,e,q,u,e,s,t,e,r,E,n,t,i,t,y,M,a,t,c,h,e,r);
     static const XMLCh AttributeScopeMatchesShibMDScope[] = UNICODE_LITERAL_32(A,t,t,r,i,b,u,t,e,S,c,o,p,e,M,a,t,c,h,e,s,S,h,i,b,M,D,S,c,o,p,e);
+    static const XMLCh AttributeValueMatchesShibMDScope[] = UNICODE_LITERAL_32(A,t,t,r,i,b,u,t,e,V,a,l,u,e,M,a,t,c,h,e,s,S,h,i,b,M,D,S,c,o,p,e);
     static const XMLCh NameIDQualifierString[] =        UNICODE_LITERAL_21(N,a,m,e,I,D,Q,u,a,l,i,f,i,e,r,S,t,r,i,n,g);
     static const XMLCh AttributeIssuerRegistrationAuthority[] = UNICODE_LITERAL_36(A,t,t,r,i,b,u,t,e,I,s,s,u,e,r,R,e,g,i,s,t,r,a,t,i,o,n,A,u,t,h,o,r,i,t,y);
     static const XMLCh RegistrationAuthority[] =        UNICODE_LITERAL_21(R,e,g,i,s,t,r,a,t,i,o,n,A,u,t,h,o,r,i,t,y);
@@ -136,6 +138,7 @@ DECL_SAML_QNAME(EntityAttributeRegexMatch, EntityAttributeRegexMatch);
 DECL_SAML_QNAME(AttributeIssuerEntityMatcher, AttributeIssuerEntityMatcher);
 DECL_SAML_QNAME(AttributeRequesterEntityMatcher, AttributeRequesterEntityMatcher);
 DECL_SAML_QNAME(AttributeScopeMatchesShibMDScope, AttributeScopeMatchesShibMDScope);
+DECL_SAML_QNAME(AttributeValueMatchesShibMDScope, AttributeValueMatchesShibMDScope);
 DECL_SAML_QNAME(NameIDQualifierString, NameIDQualifierString);
 DECL_SAML_QNAME(AttributeIssuerRegistrationAuthority, AttributeIssuerRegistrationAuthority);
 DECL_SAML_QNAME(RegistrationAuthority, RegistrationAuthority);
@@ -168,6 +171,7 @@ void SHIBSP_API shibsp::registerMatchFunctors()
     REGISTER_FACTORY(AttributeIssuerEntityMatcher);
     REGISTER_FACTORY(AttributeRequesterEntityMatcher);
     REGISTER_FACTORY(AttributeScopeMatchesShibMDScope);
+    REGISTER_FACTORY(AttributeValueMatchesShibMDScope);
     REGISTER_FACTORY(NameIDQualifierString);
     REGISTER_FACTORY(AttributeIssuerRegistrationAuthority);
     REGISTER_FACTORY(RegistrationAuthority);
-- 
2.1.4