--- /dev/null
+<AttributeAcceptancePolicy xmlns="urn:mace:shibboleth:1.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="urn:mace:shibboleth:1.0 @-PKGXMLDIR-@/shibboleth.xsd">
+
+ <!--
+ An AAP is a set of AttributeRule elements, each one
+ referencing a specific attribute by URI. All attributes that
+ should be visible to an application running at the target should
+ be listed, or they will be filtered out.
+
+ The Header and Alias attributes map an attribute to an HTTP header
+ and to an htaccess rule name respectively. Without Header, the attribute
+ will only be obtainable from the exported SAML assertion in raw XML.
+
+ Scoped attributes are also filtered on Scope via the Domain elements
+ in the site metadata.
+ -->
+
+ <!-- First some useful eduPerson attributes that many sites might use. -->
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" Scoped="true" Header="Shib-EP-Affiliation" Alias="affiliation">
+ <!-- Filtering rule to limit values to eduPerson-defined enumeration. -->
+ <AnySite>
+ <Value Type="regexp">^[M|m][E|e][M|m][B|b][E|e][R|r]$</Value>
+ <Value Type="regexp">^[F|f][A|a][C|c][U|u][L|l][T|t][Y|y]$</Value>
+ <Value Type="regexp">^[S|s][T|t][U|u][D|d][E|e][N|n][T|t]$</Value>
+ <Value Type="regexp">^[S|s][T|t][A|a][F|f][F|f]$</Value>
+ <Value Type="regexp">^[A|a][L|l][U|u][M|m]$</Value>
+ <Value Type="regexp">^[A|a][F|f][F|f][I|i][L|l][I|i][A|a][T|t][E|e]$</Value>
+ <Value Type="regexp">^[E|e][M|m][P|p][L|l][O|o][Y|y][E|e][E|e]$</Value>
+ </AnySite>
+
+ <!-- Example of Scope rule to override site metadata. -->
+ <SiteRule Name="urn:mace:inqueue:shibdev.edu">
+ <Scope Accept="false">shibdev.edu</Scope>
+ <Scope Type="regexp">^.+\.shibdev\.edu$</Scope>
+ </SiteRule>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonAffiliation" Header="Shib-EP-UnscopedAffiliation" Alias="unscoped-affiliation">
+ <AnySite>
+ <Value Type="regexp">^[M|m][E|e][M|m][B|b][E|e][R|r]$</Value>
+ <Value Type="regexp">^[F|f][A|a][C|c][U|u][L|l][T|t][Y|y]$</Value>
+ <Value Type="regexp">^[S|s][T|t][U|u][D|d][E|e][N|n][T|t]$</Value>
+ <Value Type="regexp">^[S|s][T|t][A|a][F|f][F|f]$</Value>
+ <Value Type="regexp">^[A|a][L|l][U|u][M|m]$</Value>
+ <Value Type="regexp">^[A|a][F|f][F|f][I|i][L|l][I|i][A|a][T|t][E|e]$</Value>
+ <Value Type="regexp">^[E|e][M|m][P|p][L|l][O|o][Y|y][E|e][E|e]$</Value>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrincipalName" Scoped="true" Header="REMOTE_USER" Alias="user">
+ <!-- Basic rule to pass through any value. -->
+ <AnySite>
+ <Value Type="regexp">^[^@]+$</Value>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonEntitlement" Header="Shib-EP-Entitlement" Alias="entitlement">
+ <!-- Entitlements tend to be filtered per-site. -->
+
+ <!--
+ Optional site rule that applies to any site
+ <AnySite>
+ <Value>urn:mace:example.edu:exampleEntitlement</Value>
+ </AnySite>
+ -->
+
+ <!-- Specific rules for an origin site, these are just development/sample sites. -->
+ <SiteRule Name="urn:mace:inqueue:example.edu">
+ <Value Type="regexp">^urn:mace:.+$</Value>
+ </SiteRule>
+ <SiteRule Name="urn:mace:inqueue:shibdev.edu">
+ <Value Type="regexp">^urn:mace:.+$</Value>
+ </SiteRule>
+ </AttributeRule>
+
+ <!-- A persistent id attribute that supports personalized anonymous access. -->
+ <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonTargetedID" Header="Shib-TargetedID" Alias="targeted_id">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ <!-- Some more eduPerson attributes, uncomment these to use them... -->
+ <!--
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonNickname">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" Header="Shib-EP-PrimaryAffiliation">
+ <AnySite>
+ <Value Type="regexp">^[M|m][E|e][M|m][B|b][E|e][R|r]$</Value>
+ <Value Type="regexp">^[F|f][A|a][C|c][U|u][L|l][T|t][Y|y]$</Value>
+ <Value Type="regexp">^[S|s][T|t][U|u][D|d][E|e][N|n][T|t]$</Value>
+ <Value Type="regexp">^[S|s][T|t][A|a][F|f][F|f]$</Value>
+ <Value Type="regexp">^[A|a][L|l][U|u][M|m]$</Value>
+ <Value Type="regexp">^[A|a][F|f][F|f][I|i][L|l][I|i][A|a][T|t][E|e]$</Value>
+ <Value Type="regexp">^[E|e][M|m][P|p][L|l][O|o][Y|y][E|e][E|e]$</Value>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonPrimaryOrgUnitDN" Header="Shib-EP-PrimaryOrgUnitDN">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN" Header="Shib-EP-OrgUnitDN">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonOrgDN" Header="Shib-EP-OrgDN">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ -->
+
+
+ <!--Examples of common LDAP-based attributes, uncomment to use these... -->
+ <!--
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:cn" Header="Shib-Person-commonName">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:sn" Header="Shib-Person-surname">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:telephoneNumber" Header="Shib-Person-telephoneNumber">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:title" Header="Shib-OrgPerson-title">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:initials" Header="Shib-InetOrgPerson-initials">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:description" Header="Shib-Person-description">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:carLicense" Header="Shib-InetOrgPerson-carLicense">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:departmentNumber" Header="Shib-InetOrgPerson-deptNum">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:displayName" Header="Shib-InetOrgPerson-displayName">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:employeeNumber" Header="Shib-InetOrgPerson-employeeNum">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:employeeType" Header="Shib-InetOrgPerson-employeeType">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:preferredLanguage" Header="Shib-InetOrgPerson-prefLang">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:manager" Header="Shib-InetOrgPerson-manager">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:roomNumber" Header="Shib-InetOrgPerson-roomNum">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:seeAlso" Header="Shib-OrgPerson-seeAlso">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:facsimileTelephoneNumber" Header="Shib-OrgPerson-fax">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:street" Header="Shib-OrgPerson-street">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:postOfficeBox" Header="Shib-OrgPerson-POBox">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:postalCode" Header="Shib-OrgPerson-postalCode">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:st" Header="Shib-OrgPerson-state">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:givenName" Header="Shib-InetOrgPerson-givenName">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:l" Header="Shib-OrgPerson-locality">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:businessCategory" Header="Shib-InetOrgPerson-businessCat">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:ou" Header="Shib-OrgPerson-orgUnit">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ <AttributeRule Name="urn:mace:dir:attribute-def:physicalDeliveryOfficeName" Header="Shib-OrgPerson-OfficeName">
+ <AnySite>
+ <AnyValue/>
+ </AnySite>
+ </AttributeRule>
+
+ -->
+
+</AttributeAcceptancePolicy>