configs/attribute-policy.xml.in

   1 <afp:AttributeFilterPolicyGroup
   2     xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"
   3     xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
   4     xmlns:afp="urn:mace:shibboleth:2.0:afp"
   5     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   6     xsi:schemaLocation="urn:mace:shibboleth:2.0:afp @-PKGXMLDIR-@/shibboleth-2.0-afp.xsd urn:mace:shibboleth:2.0:afp:mf:basic @-PKGXMLDIR-@/shibboleth-2.0-afp-mf-basic.xsd urn:mace:shibboleth:2.0:afp:mf:saml @-PKGXMLDIR-@/shibboleth-2.0-afp-mf-saml.xsd">
   7
   8     <!-- Shared rule for affiliation values. -->
   9     <afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
  10         <Rule xsi:type="AttributeValueString" value="faculty"/>
  11         <Rule xsi:type="AttributeValueString" value="student"/>
  12         <Rule xsi:type="AttributeValueString" value="staff"/>
  13         <Rule xsi:type="AttributeValueString" value="alum"/>
  14         <Rule xsi:type="AttributeValueString" value="member"/>
  15         <Rule xsi:type="AttributeValueString" value="affiliate"/>
  16         <Rule xsi:type="AttributeValueString" value="employee"/>
  17     </afp:PermitValueRule>
  18
  19     <!--
  20     Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
  21     an AttributeRule for each attribute you want to check.
  22     -->
  23     <afp:PermitValueRule id="ScopingRules" xsi:type="AND">
  24         <Rule xsi:type="NOT">
  25             <Rule xsi:type="AttributeValueRegex" regex="@"/>
  26         </Rule>
  27         <Rule xsi:type="saml:AttributeScopeMatchesShibMDScope" xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"/>
  28     </afp:PermitValueRule>
  29
  30     <afp:AttributeFilterPolicy>
  31         <!-- This policy is in effect in all cases. -->
  32         <afp:PolicyRequirementRule xsi:type="ANY"/>
  33
  34         <!-- Filter out undefined affiliations and ensure only one primary. -->
  35         <afp:AttributeRule attributeID="affiliation">
  36             <afp:PermitValueRule xsi:type="AND">
  37                 <RuleReference ref="eduPersonAffiliationValues"/>
  38                 <RuleReference ref="ScopingRules"/>
  39             </afp:PermitValueRule>
  40         </afp:AttributeRule>
  41         <afp:AttributeRule attributeID="unscoped-affiliation">
  42             <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
  43         </afp:AttributeRule>
  44         <afp:AttributeRule attributeID="primary-affiliation">
  45             <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
  46         </afp:AttributeRule>
  47
  48         <afp:AttributeRule attributeID="eppn">
  49             <afp:PermitValueRuleReference ref="ScopingRules"/>
  50         </afp:AttributeRule>
  51
  52         <afp:AttributeRule attributeID="targeted-id">
  53             <afp:PermitValueRuleReference ref="ScopingRules"/>
  54         </afp:AttributeRule>
  55
  56         <!-- Catch-all that passes everything else through unmolested. -->
  57         <afp:AttributeRule attributeID="*">
  58             <afp:PermitValueRule xsi:type="ANY"/>
  59         </afp:AttributeRule>
  60
  61     </afp:AttributeFilterPolicy>
  62
  63 </afp:AttributeFilterPolicyGroup>