1 <AttributeAcceptancePolicy xmlns="urn:mace:shibboleth:1.0"
2 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
3 xsi:schemaLocation="urn:mace:shibboleth:1.0 @-PKGXMLDIR-@/shibboleth.xsd">
6 An AAP is a set of AttributeRule elements, each one
7 referencing a specific attribute by URI. All attributes that
8 should be visible to an application running at the target should
9 be listed, or they will be filtered out.
11 The Header and Alias attributes map an attribute to an HTTP header
12 and to an htaccess rule name respectively. Without Header, the attribute
13 will only be obtainable from the exported SAML assertion in raw XML.
15 Scoped attributes are also filtered on Scope via the Domain elements
19 <!-- First some useful eduPerson attributes that many sites might use. -->
21 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" Scoped="true" CaseSensitive="false" Header="Shib-EP-Affiliation" Alias="affiliation">
22 <!-- Filtering rule to limit values to eduPerson-defined enumeration. -->
25 <Value>FACULTY</Value>
26 <Value>STUDENT</Value>
29 <Value>AFFILIATE</Value>
30 <Value>EMPLOYEE</Value>
33 <!-- Example of Scope rule to override site metadata. -->
34 <SiteRule Name="urn:mace:inqueue:shibdev.edu">
35 <Scope Accept="false">shibdev.edu</Scope>
36 <Scope Type="regexp">^.+\.shibdev\.edu$</Scope>
41 This attribute is provided mostly to ease testing because an IdP out of the box only
42 sends the unscoped version. It has little use because it lacks the context needed to
43 work in a multi-domain scenario and is a subset of the scoped version anyway.
45 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonAffiliation" CaseSensitive="false" Header="Shib-EP-UnscopedAffiliation" Alias="unscoped-affiliation">
48 <Value>FACULTY</Value>
49 <Value>STUDENT</Value>
52 <Value>AFFILIATE</Value>
53 <Value>EMPLOYEE</Value>
57 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" Scoped="true" Header="REMOTE_USER" Alias="user">
58 <!-- Basic rule to pass through any value. -->
60 <Value Type="regexp">^[^@]+$</Value>
64 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonEntitlement" Header="Shib-EP-Entitlement" Alias="entitlement">
65 <!-- Entitlements tend to be filtered per-site. -->
68 Optional site rule that applies to any site
70 <Value>urn:mace:example.edu:exampleEntitlement</Value>
74 <!-- Specific rules for an origin site, these are just development/sample sites. -->
75 <SiteRule Name="urn:mace:inqueue:example.edu">
76 <Value Type="regexp">^urn:mace:.+$</Value>
78 <SiteRule Name="urn:mace:inqueue:shibdev.edu">
79 <Value Type="regexp">^urn:mace:.+$</Value>
83 <!-- A persistent id attribute that supports personalized anonymous access. -->
85 <!-- First, the deprecated version: -->
86 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonTargetedID" Scoped="true" Header="Shib-TargetedID" Alias="targeted_id">
92 <!-- Second, the new version: -->
93 <AttributeRule Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" Header="Shib-TargetedID" Alias="targeted_id">
99 <!-- Some more eduPerson attributes, uncomment these to use them... -->
102 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonNickname">
108 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" CaseSensitive="false" Header="Shib-EP-PrimaryAffiliation">
110 <Value>MEMBER</Value>
111 <Value>FACULTY</Value>
112 <Value>STUDENT</Value>
115 <Value>AFFILIATE</Value>
116 <Value>EMPLOYEE</Value>
120 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" Header="Shib-EP-PrimaryOrgUnitDN">
126 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" Header="Shib-EP-OrgUnitDN">
132 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonOrgDN" Header="Shib-EP-OrgDN">
141 <!--Examples of common LDAP-based attributes, uncomment to use these... -->
144 <AttributeRule Name="urn:mace:dir:attribute-def:cn" Header="Shib-Person-commonName">
150 <AttributeRule Name="urn:mace:dir:attribute-def:sn" Header="Shib-Person-surname">
156 <AttributeRule Name="urn:mace:dir:attribute-def:telephoneNumber" Header="Shib-Person-telephoneNumber">
162 <AttributeRule Name="urn:mace:dir:attribute-def:title" Header="Shib-OrgPerson-title">
168 <AttributeRule Name="urn:mace:dir:attribute-def:initials" Header="Shib-InetOrgPerson-initials">
174 <AttributeRule Name="urn:mace:dir:attribute-def:description" Header="Shib-Person-description">
180 <AttributeRule Name="urn:mace:dir:attribute-def:carLicense" Header="Shib-InetOrgPerson-carLicense">
186 <AttributeRule Name="urn:mace:dir:attribute-def:departmentNumber" Header="Shib-InetOrgPerson-deptNum">
192 <AttributeRule Name="urn:mace:dir:attribute-def:displayName" Header="Shib-InetOrgPerson-displayName">
198 <AttributeRule Name="urn:mace:dir:attribute-def:employeeNumber" Header="Shib-InetOrgPerson-employeeNum">
204 <AttributeRule Name="urn:mace:dir:attribute-def:employeeType" Header="Shib-InetOrgPerson-employeeType">
210 <AttributeRule Name="urn:mace:dir:attribute-def:preferredLanguage" Header="Shib-InetOrgPerson-prefLang">
216 <AttributeRule Name="urn:mace:dir:attribute-def:manager" Header="Shib-InetOrgPerson-manager">
222 <AttributeRule Name="urn:mace:dir:attribute-def:roomNumber" Header="Shib-InetOrgPerson-roomNum">
228 <AttributeRule Name="urn:mace:dir:attribute-def:seeAlso" Header="Shib-OrgPerson-seeAlso">
234 <AttributeRule Name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" Header="Shib-OrgPerson-fax">
240 <AttributeRule Name="urn:mace:dir:attribute-def:street" Header="Shib-OrgPerson-street">
246 <AttributeRule Name="urn:mace:dir:attribute-def:postOfficeBox" Header="Shib-OrgPerson-POBox">
252 <AttributeRule Name="urn:mace:dir:attribute-def:postalCode" Header="Shib-OrgPerson-postalCode">
258 <AttributeRule Name="urn:mace:dir:attribute-def:st" Header="Shib-OrgPerson-state">
264 <AttributeRule Name="urn:mace:dir:attribute-def:givenName" Header="Shib-InetOrgPerson-givenName">
270 <AttributeRule Name="urn:mace:dir:attribute-def:l" Header="Shib-OrgPerson-locality">
276 <AttributeRule Name="urn:mace:dir:attribute-def:businessCategory" Header="Shib-InetOrgPerson-businessCat">
282 <AttributeRule Name="urn:mace:dir:attribute-def:ou" Header="Shib-OrgPerson-orgUnit">
288 <AttributeRule Name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" Header="Shib-OrgPerson-OfficeName">
296 </AttributeAcceptancePolicy>