configs/attribute-policy.xml

   1 <afp:AttributeFilterPolicyGroup
   2     xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"
   3     xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
   4     xmlns:afp="urn:mace:shibboleth:2.0:afp"
   5     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   6
   7     <!-- Shared rule for affiliation values. -->
   8     <afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
   9         <Rule xsi:type="AttributeValueString" value="faculty"/>
  10         <Rule xsi:type="AttributeValueString" value="student"/>
  11         <Rule xsi:type="AttributeValueString" value="staff"/>
  12         <Rule xsi:type="AttributeValueString" value="alum"/>
  13         <Rule xsi:type="AttributeValueString" value="member"/>
  14         <Rule xsi:type="AttributeValueString" value="affiliate"/>
  15         <Rule xsi:type="AttributeValueString" value="employee"/>
  16     </afp:PermitValueRule>
  17
  18     <!--
  19     Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
  20     an AttributeRule for each attribute you want to check.
  21     -->
  22     <afp:PermitValueRule id="ScopingRules" xsi:type="AND">
  23         <Rule xsi:type="NOT">
  24             <Rule xsi:type="AttributeValueRegex" regex="@"/>
  25         </Rule>
  26         <Rule xsi:type="saml:AttributeScopeMatchesShibMDScope" xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"/>
  27     </afp:PermitValueRule>
  28
  29     <afp:AttributeFilterPolicy>
  30         <!-- This policy is in effect in all cases. -->
  31         <afp:PolicyRequirementRule xsi:type="ANY"/>
  32
  33         <!-- Filter out undefined affiliations and ensure only one primary. -->
  34         <afp:AttributeRule attributeID="affiliation">
  35             <afp:PermitValueRule xsi:type="AND">
  36                 <RuleReference ref="eduPersonAffiliationValues"/>
  37                 <RuleReference ref="ScopingRules"/>
  38             </afp:PermitValueRule>
  39         </afp:AttributeRule>
  40         <afp:AttributeRule attributeID="unscoped-affiliation">
  41             <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
  42         </afp:AttributeRule>
  43         <afp:AttributeRule attributeID="primary-affiliation">
  44             <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
  45         </afp:AttributeRule>
  46
  47         <afp:AttributeRule attributeID="eppn">
  48             <afp:PermitValueRuleReference ref="ScopingRules"/>
  49         </afp:AttributeRule>
  50
  51         <afp:AttributeRule attributeID="targeted-id">
  52             <afp:PermitValueRuleReference ref="ScopingRules"/>
  53         </afp:AttributeRule>
  54
  55         <!-- Catch-all that passes everything else through unmolested. -->
  56         <afp:AttributeRule attributeID="*">
  57             <afp:PermitValueRule xsi:type="ANY"/>
  58         </afp:AttributeRule>
  59
  60     </afp:AttributeFilterPolicy>
  61
  62 </afp:AttributeFilterPolicyGroup>