1 <AttributeAcceptancePolicy xmlns="urn:mace:shibboleth:1.0">
4 An AAP is a set of AttributeRule elements, each one
5 referencing a specific attribute by URI. All attributes that
6 should be visible to an application running at the target should
7 be listed, or they will be filtered out.
9 The Header and Alias attributes map an attribute to an HTTP header
10 and to an htaccess rule name respectively. Without Header, the attribute
11 will only be obtainable from the exported SAML assertion in raw XML.
13 Scoped attributes are also filtered on Scope via the Domain elements
17 <!-- First some useful eduPerson attributes that many sites might use. -->
19 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" Scoped="true" Header="Shib-EP-Affiliation" Alias="affiliation">
20 <!-- Filtering rule to limit values to eduPerson-defined enumeration. -->
22 <Value Type="regexp">^[M|m][E|e][M|m][B|b][E|e][R|r]$</Value>
23 <Value Type="regexp">^[F|f][A|a][C|c][U|u][L|l][T|t][Y|y]$</Value>
24 <Value Type="regexp">^[S|s][T|t][U|u][D|d][E|e][N|n][T|t]$</Value>
25 <Value Type="regexp">^[S|s][T|t][A|a][F|f][F|f]$</Value>
26 <Value Type="regexp">^[A|a][L|l][U|u][M|m]$</Value>
27 <Value Type="regexp">^[A|a][F|f][F|f][I|i][L|l][I|i][A|a][T|t][E|e]$</Value>
28 <Value Type="regexp">^[E|e][M|m][P|p][L|l][O|o][Y|y][E|e][E|e]$</Value>
31 <!-- Example of Scope rule to override site metadata. -->
32 <SiteRule Name="urn:mace:inqueue:shibdev.edu">
33 <Scope Accept="false">shibdev.edu</Scope>
34 <Scope Type="regexp">^.+\.shibdev\.edu$</Scope>
38 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonAffiliation" Header="Shib-EP-UnscopedAffiliation" Alias="unscoped-affiliation">
40 <Value Type="regexp">^[M|m][E|e][M|m][B|b][E|e][R|r]$</Value>
41 <Value Type="regexp">^[F|f][A|a][C|c][U|u][L|l][T|t][Y|y]$</Value>
42 <Value Type="regexp">^[S|s][T|t][U|u][D|d][E|e][N|n][T|t]$</Value>
43 <Value Type="regexp">^[S|s][T|t][A|a][F|f][F|f]$</Value>
44 <Value Type="regexp">^[A|a][L|l][U|u][M|m]$</Value>
45 <Value Type="regexp">^[A|a][F|f][F|f][I|i][L|l][I|i][A|a][T|t][E|e]$</Value>
46 <Value Type="regexp">^[E|e][M|m][P|p][L|l][O|o][Y|y][E|e][E|e]$</Value>
50 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" Scoped="true" Header="REMOTE_USER" Alias="user">
51 <!-- Basic rule to pass through any value. -->
53 <Value Type="regexp">^[^@]+$</Value>
57 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonEntitlement" Header="Shib-EP-Entitlement" Alias="entitlement">
58 <!-- Entitlements tend to be filtered per-site. -->
61 Optional site rule that applies to any site
63 <Value>urn:mace:example.edu:exampleEntitlement</Value>
67 <!-- Specific rules for an origin site, these are just development/sample sites. -->
68 <SiteRule Name="urn:mace:inqueue:example.edu">
69 <Value Type="regexp">^urn:mace:.+$</Value>
71 <SiteRule Name="urn:mace:inqueue:shibdev.edu">
72 <Value Type="regexp">^urn:mace:.+$</Value>
76 <!-- A persistent id attribute that supports personalized anonymous access. -->
77 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonTargetedID" Header="Shib-TargetedID" Alias="targeted_id">
83 <!-- Some more eduPerson attributes, uncomment these to use them... -->
86 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonNickname">
92 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" Header="Shib-EP-PrimaryAffiliation">
94 <Value Type="regexp">^[M|m][E|e][M|m][B|b][E|e][R|r]$</Value>
95 <Value Type="regexp">^[F|f][A|a][C|c][U|u][L|l][T|t][Y|y]$</Value>
96 <Value Type="regexp">^[S|s][T|t][U|u][D|d][E|e][N|n][T|t]$</Value>
97 <Value Type="regexp">^[S|s][T|t][A|a][F|f][F|f]$</Value>
98 <Value Type="regexp">^[A|a][L|l][U|u][M|m]$</Value>
99 <Value Type="regexp">^[A|a][F|f][F|f][I|i][L|l][I|i][A|a][T|t][E|e]$</Value>
100 <Value Type="regexp">^[E|e][M|m][P|p][L|l][O|o][Y|y][E|e][E|e]$</Value>
104 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" Header="Shib-EP-PrimaryOrgUnitDN">
110 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" Header="Shib-EP-OrgUnitDN">
116 <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonOrgDN" Header="Shib-EP-OrgDN">
125 <!--Examples of common LDAP-based attributes, uncomment to use these... -->
128 <AttributeRule Name="urn:mace:dir:attribute-def:cn" Header="Shib-Person-commonName">
134 <AttributeRule Name="urn:mace:dir:attribute-def:sn" Header="Shib-Person-surname">
140 <AttributeRule Name="urn:mace:dir:attribute-def:telephoneNumber" Header="Shib-Person-telephoneNumber">
146 <AttributeRule Name="urn:mace:dir:attribute-def:title" Header="Shib-OrgPerson-title">
152 <AttributeRule Name="urn:mace:dir:attribute-def:initials" Header="Shib-InetOrgPerson-initials">
158 <AttributeRule Name="urn:mace:dir:attribute-def:description" Header="Shib-Person-description">
164 <AttributeRule Name="urn:mace:dir:attribute-def:carLicense" Header="Shib-InetOrgPerson-carLicense">
170 <AttributeRule Name="urn:mace:dir:attribute-def:departmentNumber" Header="Shib-InetOrgPerson-deptNum">
176 <AttributeRule Name="urn:mace:dir:attribute-def:displayName" Header="Shib-InetOrgPerson-displayName">
182 <AttributeRule Name="urn:mace:dir:attribute-def:employeeNumber" Header="Shib-InetOrgPerson-employeeNum">
188 <AttributeRule Name="urn:mace:dir:attribute-def:employeeType" Header="Shib-InetOrgPerson-employeeType">
194 <AttributeRule Name="urn:mace:dir:attribute-def:preferredLanguage" Header="Shib-InetOrgPerson-prefLang">
200 <AttributeRule Name="urn:mace:dir:attribute-def:manager" Header="Shib-InetOrgPerson-manager">
206 <AttributeRule Name="urn:mace:dir:attribute-def:roomNumber" Header="Shib-InetOrgPerson-roomNum">
212 <AttributeRule Name="urn:mace:dir:attribute-def:seeAlso" Header="Shib-OrgPerson-seeAlso">
218 <AttributeRule Name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" Header="Shib-OrgPerson-fax">
224 <AttributeRule Name="urn:mace:dir:attribute-def:street" Header="Shib-OrgPerson-street">
230 <AttributeRule Name="urn:mace:dir:attribute-def:postOfficeBox" Header="Shib-OrgPerson-POBox">
236 <AttributeRule Name="urn:mace:dir:attribute-def:postalCode" Header="Shib-OrgPerson-postalCode">
242 <AttributeRule Name="urn:mace:dir:attribute-def:st" Header="Shib-OrgPerson-state">
248 <AttributeRule Name="urn:mace:dir:attribute-def:givenName" Header="Shib-InetOrgPerson-givenName">
254 <AttributeRule Name="urn:mace:dir:attribute-def:l" Header="Shib-OrgPerson-locality">
260 <AttributeRule Name="urn:mace:dir:attribute-def:businessCategory" Header="Shib-InetOrgPerson-businessCat">
266 <AttributeRule Name="urn:mace:dir:attribute-def:ou" Header="Shib-OrgPerson-orgUnit">
272 <AttributeRule Name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" Header="Shib-OrgPerson-OfficeName">
280 </AttributeAcceptancePolicy>