...
| Info |
|---|
This is an example of a standard entity category based attribute filter for SWAMID 2.0 in a Shibboleth IdP which fulfils SWAMID's Best Current Practice - Entity category Category attribute release in SWAMID |
| Code Block | ||||
|---|---|---|---|---|
| ||||
<?xml version="1.0" encoding="UTF-8"?>
<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
xmlns="urn:mace:shibboleth:2.0:afp"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
<!-- Release the transient ID to anyone -->
<AttributeFilterPolicy id="releaseTransientIdToAnyone">
<PolicyRequirementRule xsi:type="ANY" />
<AttributeRule attributeID="transientId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
<!-- GEANT Data protection Code of Conduct -->
<AttributeFilterPolicy id="releaseToCoCo">
<PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
attributeName="http attributeName="http://macedir.org/entity-category"
attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" />
<AttributeRule attributeID="eduPersonTargetedID">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="eduPersonUniqueId">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="eduPersonOrcideduPersonUniqueId">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="norEduPersonNINeduPersonOrcid">
<PermitValueRule xsi:type="AND">
<Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
<Rule xsi:type="RegistrationAuthority" registrars="http://www.swamid.se/" />
</PermitValueRule>
</AttributeRule>
</AttributeRule>
<AttributeRule attributeID="personalIdentityNumbernorEduPersonNIN">
<PermitValueRule xsi:type="AND">
<Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
<Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
<Rule xsi:type="RegistrationAuthority" registrars="http://www.swamid.se/" />
</PermitValueRule>
</PermitValueRule>
</AttributeRule>
<AttributeRule attributeID="schacDateOfBirthpersonalIdentityNumber">
<PermitValueRule xsi:type="AttributeInMetadataAND" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRule>
<Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="cn">
<PermitValueRule <Rule xsi:type="AttributeInMetadataRegistrationAuthority" onlyIfRequiredregistrars="truehttp://www.swamid.se/" />
</PermitValueRule>
</AttributeRule>
<AttributeRule attributeID="displayNameschacDateOfBirth">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="givenNamemail">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="sncn">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="eduPersonAssurancedisplayName">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="eduPersonScopedAffiliationgivenName">
<PermitValueRule xsi:type="AND">
<Rule <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
<Rule xsi:type="OR">
<Rule </AttributeRule>
<AttributeRule attributeID="sn">
<PermitValueRule xsi:type="ValueAttributeInMetadata" valueonlyIfRequired="facultytrue" ignoreCase="true" />
<Rule />
</AttributeRule>
<AttributeRule attributeID="eduPersonAssurance">
<PermitValueRule xsi:type="ValueAttributeInMetadata" value="student" ignoreCaseonlyIfRequired="true" />
<Rule xsi:type="Value" value="staff" ignoreCase="true" />
<Rule </AttributeRule>
<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="ValueAND" value="alum" ignoreCase="true" />
>
<Rule xsi:type="ValueAttributeInMetadata" valueonlyIfRequired="member" ignoreCase="true" />
<Rule xsi:type="ValueOR">
value="affiliate" ignoreCase="true" />
<Rule xsi:type="Value" value="employeefaculty" ignoreCase="true" />
<Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
</Rule>
</PermitValueRule>
</AttributeRule>
<AttributeRule attributeID="eduPersonAffiliation">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired <Rule xsi:type="Value" value="student" ignoreCase="true" />
</AttributeRule>
<AttributeRule attributeID="organizationName">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired <Rule xsi:type="Value" value="staff" ignoreCase="true" />
</AttributeRule>
<AttributeRule attributeID="norEduOrgAcronym">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="countryName">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired <Rule xsi:type="Value" value="alum" ignoreCase="true" />
</AttributeRule>
<AttributeRule attributeID="friendlyCountryName">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired <Rule xsi:type="Value" value="member" ignoreCase="true" />
</AttributeRule>
<AttributeRule attributeID="schacHomeOrganization">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="schacHomeOrganizationType">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
</AttributeRule>
</AttributeFilterPolicy>
<!-- REFEDS Research and Schoolarship -->
<AttributeFilterPolicy id="releaseToRandS">
<PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship" />
<!-- eduPersonTargetedID should only be released in with the entity category REFEDS Research & Scholarship if eduPersonPrincipalName is reassignable -->
<AttributeRule attributeID="eduPersonTargetedID">
<PermitValueRule xsi:type="NOT">
<Rule xsi:type="Value" value="employee" ignoreCase="true" />
<Rule xsi:type="Value" value="https://refeds.org/assurance/ID/eppn-unique-no-reassign" attributeID="eduPersonAssurancelibrary-walk-in" ignoreCase="true" />
</PermitValueRule>
</AttributeRule>Rule>
<AttributeRule attributeID="displayName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</PermitValueRule>
</AttributeRule>
<AttributeRule attributeID="givenNameeduPersonAffiliation">
<PermitValueRule xsi:type="ANYAttributeInMetadata" />
onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="surnameo">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="ANYtrue" />
</AttributeRule>
<AttributeRule attributeID="mailnorEduOrgAcronym">
<PermitValueRule xsi:type="ANY"AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="eduPersonUniqueIdc">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="ANYtrue" />
</AttributeRule>
<AttributeRule attributeID="eduPersonAssuranceco">
<PermitValueRule xsi:type="ANY"AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="eduPersonPrincipalNameschacHomeOrganization">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="eduPersonScopedAffiliationschacHomeOrganizationType">
<PermitValueRule xsi:type="OR">
<Rule xsi:type="Value" value="faculty" ignoreCase="AttributeInMetadata" onlyIfRequired="true" />
<Rule xsi:type="Value" value="student" ignoreCase="true" />
<Rule xsi:type="Value" value="staff" ignoreCase="true" </>
<Rule xsi:type="Value" value="alum" ignoreCase="true" />
<Rule xsi:type="Value" value="member" ignoreCase="true" />
<RuleAttributeRule>
</AttributeFilterPolicy>
<!-- REFEDS Research and Schoolarship -->
<AttributeFilterPolicy id="releaseToRandS">
<PolicyRequirementRule xsi:type="ValueEntityAttributeExactMatch" value="affiliate" ignoreCase="true" />
<Rule xsi:type="Value" value="employee" ignoreCase="true" />
<Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
</PermitValueRule>
</AttributeRule>
</AttributeFilterPolicy>
<!-- DEPRECATED entity-category-swamid-research-and-education WILL BE REMOVED 2020-10-31 -->
<AttributeFilterPolicy id="entity-category-research-and-education">
<PolicyRequirementRule
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship" />
<AttributeRule attributeID="eduPersonTargetedID">
<PermitValueRule xsi:type="ANDNOT">
<Rule xsi:type="OR">
<Rule xsi:type="EntityAttributeExactMatch"
attributeName="httpValue" value="https://macedirrefeds.org/entity-category"
attributeValue="http://www.swamid.se/category/eu-adequate-protection/assurance/ID/eppn-unique-no-reassign" attributeID="eduPersonAssurance" />
<Rule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://www.swamid.se/category/nren-service" />
<Rule </PermitValueRule>
</AttributeRule>
<AttributeRule attributeID="displayName">
<PermitValueRule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://www.swamid.se/category/hei-service" />
</Rule>
<Rule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://www.swamid.se/category/research-and-education" />
</PolicyRequirementRule>
<AttributeRule attributeID="givenName">
ANY" />
</AttributeRule>
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="sn">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonUniqueId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonAssurance">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="OR">
<Rule xsi:type="Value" value="faculty" ignoreCase="true" />
<Rule xsi:type="Value" value="student" ignoreCase="true" />
<Rule xsi:type="Value" value="staff" ignoreCase="true" />
<Rule xsi:type="Value" value="alum" ignoreCase="true" />
<Rule xsi:type="Value" value="member" ignoreCase="true" />
<Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
<Rule xsi:type="Value" value="employee" ignoreCase="true" />
<Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
</PermitValueRule>
</AttributeRule>
</AttributeFilterPolicy>
<!-- DEPRECATED entity-category-swamid-research-and-education WILL BE REMOVED 2020-10-31 -->
<AttributeFilterPolicy id="entity-category-research-and-education">
<PolicyRequirementRule xsi:type="AND">
<Rule xsi:type="OR">
<Rule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://www.swamid.se/category/eu-adequate-protection" />
<Rule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://www.swamid.se/category/nren-service" />
<Rule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://www.swamid.se/category/hei-service" />
</Rule>
<Rule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://www.swamid.se/category/research-and-education" />
</PolicyRequirementRule>
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="sn">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="displayName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="cn">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="surname">
<AttributeRule attributeID="eduPersonAssurance">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="displayNamemail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="commonName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonPrincipalNameeduPersonScopedAffiliation">
<PermitValueRule xsi:type="ANYOR" />
</AttributeRule>
<AttributeRule attributeID="eduPersonAssurance">
<PermitValueRule>
<Rule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRuleValue" value="faculty" ignoreCase="true" />
<Rule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="OR">
Value" value="student" ignoreCase="true" />
<Rule xsi:type="Value" value="facultystaff" ignoreCase="true" />
/>
<Rule xsi:type="Value" value="studentalum" ignoreCase="true" />
<Rule xsi:type="Value" value="staffmember" ignoreCase="true" />
<Rule xsi:type="Value" value="alum" ignoreCase="true" />
<Rule xsi:type="Value" value="memberaffiliate" ignoreCase="true" />
<Rule xsi:type="Value" value="affiliateemployee" ignoreCase="true" />
<Rule xsi:type="Value" value="employee" ignoreCase="true" />
<Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
</PermitValueRule>
</AttributeRule>
<AttributeRule attributeID="organizationName">
</AttributeRule>
<AttributeRule attributeID="o">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="norEduOrgAcronym">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="countryNamec">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="friendlyCountryNameco">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeRule>
<AttributeRule attributeID="schacHomeOrganization">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
<!-- DEPRECATED entity-category-sfs-1993-1153 WILL BE REMOVED 2020-10-31-->
<AttributeFilterPolicy id="entity-category-sfs-1993-1153">
<PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
<PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://www.swamid.se/category/sfs-1993-1153" />
<AttributeRule attributeID="norEduPersonNIN">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonAssurance">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
<!-- Examples of entityId based release to Service Providers -->
<!-- Release to testshib.org -->
<!--
<AttributeFilterPolicy id="testShib">
<PolicyRequirementRule xsi:type="Requester" value="https://sp.testshib.org/shibboleth-sp" />
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="commonName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="surname">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="principal">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
-->
<!-- NyA-webben UHR -->
<!--
<AttributeFilterPolicy id="releaseNyAwebbenEntitlement">
<PolicyRequirementRule xsi:type="OR">
<Rule xsi:type="Requester" value="https://expert.antagning.se/ecs-sp" />
<Rule xsi:type="Requester" value="https://expert.testa.antagning.se/ecs-sp" />
<Rule xsi:type="Requester" value="https://expert.testb.antagning.se/ecs-sp" />
</PolicyRequirementRule>
<AttributeRule attributeID="NyAwebbenEntitlement">
>
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
-->
<!-- New TCS Personal -->
<!--
<AttributeFilterPolicy id="releaseTcsPersonalEntitlement">
<PolicyRequirementRule xsi:type="Requester" value="https://www.digicert.com/sso" />
<AttributeRule attributeID="displayName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="tcsPersonalEntitlement">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="schacHomeOrganization">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
</AttributeFilterPolicy>
-->
<!-- PLACEHOLDER DO NOT REMOVE -->
</AttributeFilterPolicyGroup> |
...