Imported Upstream version 2.4+dfsg

[shibboleth/sp.git] / configs / attribute-policy.xml

diff --git a/configs/attribute-policy.xml b/configs/attribute-policy.xml
index 22ae662..a2d1742 100644 (file)
--- a/configs/attribute-policy.xml
+++ b/configs/attribute-policy.xml
@@ -1,5 +1,6 @@
 <afp:AttributeFilterPolicyGroup
     xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"
+    xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
     xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
     xmlns:afp="urn:mace:shibboleth:2.0:afp"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
@@ -24,7 +25,7 @@
         <Rule xsi:type="NOT">
             <Rule xsi:type="AttributeValueRegex" regex="@"/>
         </Rule>
-        <Rule xsi:type="saml:AttributeScopeMatchesShibMDScope" xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"/>
+        <Rule xsi:type="saml:AttributeScopeMatchesShibMDScope"/>
     </afp:PermitValueRule>
 
     <afp:AttributeFilterPolicy>
@@ -52,7 +53,12 @@
         <afp:AttributeRule attributeID="targeted-id">
             <afp:PermitValueRuleReference ref="ScopingRules"/>
         </afp:AttributeRule>
-        
+
+        <!-- Require NameQualifier/SPNameQualifier match IdP and SP entityID respectively. -->
+        <afp:AttributeRule attributeID="persistent-id">
+            <afp:PermitValueRule xsi:type="saml:NameIDQualifierString"/>
+        </afp:AttributeRule>
+
         <!-- Catch-all that passes everything else through unmolested. -->
         <afp:AttributeRule attributeID="*">
             <afp:PermitValueRule xsi:type="ANY"/>