...
Info |
---|
This is an example of a standard entity category based attribute filter for SWAMID 2.0 in a Shibboleth IdP which fulfils SWAMID's Best Current Practice - Entity category Category attribute release in SWAMID |
Code Block | ||||
---|---|---|---|---|
| ||||
<?xml version="1.0" encoding="UTF-8"?> <AttributeFilterPolicyGroup id="ShibbolethFilterPolicy" xmlns="urn:mace:shibboleth:2.0:afp" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd"> <!-- Release the transient ID to anyone --> <AttributeFilterPolicy id="releaseTransientIdToAnyone"> <PolicyRequirementRule xsi:type="ANY" /> <AttributeRule attributeID="transientId"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> </AttributeFilterPolicy> <!-- GEANT Data protection Code of Conduct --> <AttributeFilterPolicy id="releaseToCoCo"> <PolicyRequirementRule xsi:type="EntityAttributeExactMatch" attributeName="http attributeName="http://macedir.org/entity-category" attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" /> <AttributeRule attributeID="eduPersonTargetedID"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="eduPersonUniqueId"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="eduPersonOrcideduPersonUniqueId"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="norEduPersonNINeduPersonOrcid"> <PermitValueRule xsi:type="AND"> <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> <Rule xsi:type="RegistrationAuthority" registrars="http://www.swamid.se/" /> </PermitValueRule> </AttributeRule> </AttributeRule> <AttributeRule attributeID="personalIdentityNumbernorEduPersonNIN"> <PermitValueRule xsi:type="AND"> <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> <Rule xsi:type="RegistrationAuthority" registrars="http://www.swamid.se/" /> </PermitValueRule> </PermitValueRule> </AttributeRule> <AttributeRule attributeID="schacDateOfBirthpersonalIdentityNumber"> <PermitValueRule xsi:type="AttributeInMetadataAND" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="mail"> <PermitValueRule> <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="cn"> <PermitValueRule <Rule xsi:type="AttributeInMetadataRegistrationAuthority" onlyIfRequiredregistrars="truehttp://www.swamid.se/" /> </PermitValueRule> </AttributeRule> <AttributeRule attributeID="displayNameschacDateOfBirth"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="givenNamemail"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="sncn"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="eduPersonAssurancedisplayName"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="eduPersonScopedAffiliationgivenName"> <PermitValueRule xsi:type="AND"> <Rule <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> <Rule xsi:type="OR"> <Rule </AttributeRule> <AttributeRule attributeID="sn"> <PermitValueRule xsi:type="ValueAttributeInMetadata" valueonlyIfRequired="facultytrue" ignoreCase="true" /> <Rule /> </AttributeRule> <AttributeRule attributeID="eduPersonAssurance"> <PermitValueRule xsi:type="ValueAttributeInMetadata" value="student" ignoreCaseonlyIfRequired="true" /> <Rule xsi:type="Value" value="staff" ignoreCase="true" /> <Rule </AttributeRule> <AttributeRule attributeID="eduPersonScopedAffiliation"> <PermitValueRule xsi:type="ValueAND" value="alum" ignoreCase="true" /> > <Rule xsi:type="ValueAttributeInMetadata" valueonlyIfRequired="member" ignoreCase="true" /> <Rule xsi:type="ValueOR"> value="affiliate" ignoreCase="true" /> <Rule xsi:type="Value" value="employeefaculty" ignoreCase="true" /> <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" /> </Rule> </PermitValueRule> </AttributeRule> <AttributeRule attributeID="eduPersonAffiliation"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired <Rule xsi:type="Value" value="student" ignoreCase="true" /> </AttributeRule> <AttributeRule attributeID="organizationName"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired <Rule xsi:type="Value" value="staff" ignoreCase="true" /> </AttributeRule> <AttributeRule attributeID="norEduOrgAcronym"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="countryName"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired <Rule xsi:type="Value" value="alum" ignoreCase="true" /> </AttributeRule> <AttributeRule attributeID="friendlyCountryName"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired <Rule xsi:type="Value" value="member" ignoreCase="true" /> </AttributeRule> <AttributeRule attributeID="schacHomeOrganization"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="schacHomeOrganizationType"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired <Rule xsi:type="Value" value="affiliate" ignoreCase="true" /> </AttributeRule> </AttributeFilterPolicy> <!-- REFEDS Research and Schoolarship --> <AttributeFilterPolicy id="releaseToRandS"> <PolicyRequirementRule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship" /> <!-- eduPersonTargetedID should only be released in with the entity category REFEDS Research & Scholarship if eduPersonPrincipalName is reassignable --> <AttributeRule attributeID="eduPersonTargetedID"> <PermitValueRule xsi:type="NOT"> <Rule xsi:type="Value" value="employee" ignoreCase="true" /> <Rule xsi:type="Value" value="https://refeds.org/assurance/ID/eppn-unique-no-reassign" attributeID="eduPersonAssurancelibrary-walk-in" ignoreCase="true" /> </PermitValueRule> </AttributeRule>Rule> <AttributeRule attributeID="displayName"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> </PermitValueRule> </AttributeRule> <AttributeRule attributeID="givenNameeduPersonAffiliation"> <PermitValueRule xsi:type="ANYAttributeInMetadata" /> onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="surnameo"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="ANYtrue" /> </AttributeRule> <AttributeRule attributeID="mailnorEduOrgAcronym"> <PermitValueRule xsi:type="ANY"AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="eduPersonUniqueIdc"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="ANYtrue" /> </AttributeRule> <AttributeRule attributeID="eduPersonAssuranceco"> <PermitValueRule xsi:type="ANY"AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="eduPersonPrincipalNameschacHomeOrganization"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="eduPersonScopedAffiliationschacHomeOrganizationType"> <PermitValueRule xsi:type="OR"> <Rule xsi:type="Value" value="faculty" ignoreCase="AttributeInMetadata" onlyIfRequired="true" /> <Rule xsi:type="Value" value="student" ignoreCase="true" /> <Rule xsi:type="Value" value="staff" ignoreCase="true" </> <Rule xsi:type="Value" value="alum" ignoreCase="true" /> <Rule xsi:type="Value" value="member" ignoreCase="true" /> <RuleAttributeRule> </AttributeFilterPolicy> <!-- REFEDS Research and Schoolarship --> <AttributeFilterPolicy id="releaseToRandS"> <PolicyRequirementRule xsi:type="ValueEntityAttributeExactMatch" value="affiliate" ignoreCase="true" /> <Rule xsi:type="Value" value="employee" ignoreCase="true" /> <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" /> </PermitValueRule> </AttributeRule> </AttributeFilterPolicy> <!-- DEPRECATED entity-category-swamid-research-and-education WILL BE REMOVED 2020-10-31 --> <AttributeFilterPolicy id="entity-category-research-and-education"> <PolicyRequirementRule attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship" /> <AttributeRule attributeID="eduPersonTargetedID"> <PermitValueRule xsi:type="ANDNOT"> <Rule xsi:type="OR"> <Rule xsi:type="EntityAttributeExactMatch" attributeName="httpValue" value="https://macedirrefeds.org/entity-category" attributeValue="http://www.swamid.se/category/eu-adequate-protection/assurance/ID/eppn-unique-no-reassign" attributeID="eduPersonAssurance" /> <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://www.swamid.se/category/nren-service" /> <Rule </PermitValueRule> </AttributeRule> <AttributeRule attributeID="displayName"> <PermitValueRule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://www.swamid.se/category/hei-service" /> </Rule> <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://www.swamid.se/category/research-and-education" /> </PolicyRequirementRule> <AttributeRule attributeID="givenName"> ANY" /> </AttributeRule> <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="sn"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="mail"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonUniqueId"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonAssurance"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonScopedAffiliation"> <PermitValueRule xsi:type="OR"> <Rule xsi:type="Value" value="faculty" ignoreCase="true" /> <Rule xsi:type="Value" value="student" ignoreCase="true" /> <Rule xsi:type="Value" value="staff" ignoreCase="true" /> <Rule xsi:type="Value" value="alum" ignoreCase="true" /> <Rule xsi:type="Value" value="member" ignoreCase="true" /> <Rule xsi:type="Value" value="affiliate" ignoreCase="true" /> <Rule xsi:type="Value" value="employee" ignoreCase="true" /> <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" /> </PermitValueRule> </AttributeRule> </AttributeFilterPolicy> <!-- DEPRECATED entity-category-swamid-research-and-education WILL BE REMOVED 2020-10-31 --> <AttributeFilterPolicy id="entity-category-research-and-education"> <PolicyRequirementRule xsi:type="AND"> <Rule xsi:type="OR"> <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://www.swamid.se/category/eu-adequate-protection" /> <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://www.swamid.se/category/nren-service" /> <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://www.swamid.se/category/hei-service" /> </Rule> <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://www.swamid.se/category/research-and-education" /> </PolicyRequirementRule> <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="sn"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="displayName"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="cn"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="surname"> <AttributeRule attributeID="eduPersonAssurance"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="displayNamemail"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="commonName"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonPrincipalNameeduPersonScopedAffiliation"> <PermitValueRule xsi:type="ANYOR" /> </AttributeRule> <AttributeRule attributeID="eduPersonAssurance"> <PermitValueRule> <Rule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="mail"> <PermitValueRuleValue" value="faculty" ignoreCase="true" /> <Rule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonScopedAffiliation"> <PermitValueRule xsi:type="OR"> Value" value="student" ignoreCase="true" /> <Rule xsi:type="Value" value="facultystaff" ignoreCase="true" /> /> <Rule xsi:type="Value" value="studentalum" ignoreCase="true" /> <Rule xsi:type="Value" value="staffmember" ignoreCase="true" /> <Rule xsi:type="Value" value="alum" ignoreCase="true" /> <Rule xsi:type="Value" value="memberaffiliate" ignoreCase="true" /> <Rule xsi:type="Value" value="affiliateemployee" ignoreCase="true" /> <Rule xsi:type="Value" value="employee" ignoreCase="true" /> <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" /> </PermitValueRule> </AttributeRule> <AttributeRule attributeID="organizationName"> </AttributeRule> <AttributeRule attributeID="o"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="norEduOrgAcronym"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="countryNamec"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="friendlyCountryNameco"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> </AttributeRule> <AttributeRule attributeID="schacHomeOrganization"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> </AttributeFilterPolicy> <!-- DEPRECATED entity-category-sfs-1993-1153 WILL BE REMOVED 2020-10-31--> <AttributeFilterPolicy id="entity-category-sfs-1993-1153"> <PolicyRequirementRule xsi:type="EntityAttributeExactMatch" <PolicyRequirementRule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://www.swamid.se/category/sfs-1993-1153" /> <AttributeRule attributeID="norEduPersonNIN"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonAssurance"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> </AttributeFilterPolicy> <!-- Examples of entityId based release to Service Providers --> <!-- Release to testshib.org --> <!-- <AttributeFilterPolicy id="testShib"> <PolicyRequirementRule xsi:type="Requester" value="https://sp.testshib.org/shibboleth-sp" /> <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="commonName"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="surname"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="principal"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> </AttributeFilterPolicy> --> <!-- NyA-webben UHR --> <!-- <AttributeFilterPolicy id="releaseNyAwebbenEntitlement"> <PolicyRequirementRule xsi:type="OR"> <Rule xsi:type="Requester" value="https://expert.antagning.se/ecs-sp" /> <Rule xsi:type="Requester" value="https://expert.testa.antagning.se/ecs-sp" /> <Rule xsi:type="Requester" value="https://expert.testb.antagning.se/ecs-sp" /> </PolicyRequirementRule> <AttributeRule attributeID="NyAwebbenEntitlement"> > <PermitValueRule xsi:type="ANY" /> </AttributeRule> </AttributeFilterPolicy> --> <!-- New TCS Personal --> <!-- <AttributeFilterPolicy id="releaseTcsPersonalEntitlement"> <PolicyRequirementRule xsi:type="Requester" value="https://www.digicert.com/sso" /> <AttributeRule attributeID="displayName"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <AttributeRule attributeID="tcsPersonalEntitlement"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="mail"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="schacHomeOrganization"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> </AttributeFilterPolicy> --> <!-- PLACEHOLDER DO NOT REMOVE --> </AttributeFilterPolicyGroup> |
...