Versions Compared

Old Version 22

changes.mady.by.user Paul Scott

Saved on

compared with

New Version 39

changes.mady.by.user Paul Scott

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagexml
titleattribute-filter.xml
linenumberstrue
<?xml version="1.0" encoding="UTF-8"?>

<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
        	xmlns="urn:mace:shibboleth:2.0:afp"
        	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">

	<!-- REFEDS ReleaseAnonymous theAuthorization transient ID to anyoneEntity Category -->
	<AttributeFilterPolicy id="releaseTransientIdToAnyonereleaseToRefedsAnonymous">
        		<PolicyRequirementRule xsi:type="ANYEntityAttributeExactMatch" />

        <AttributeRule attributeID="transientId">
                attributeName="http://macedir.org/entity-category" attributeValue="https://refeds.org/category/anonymous" />
		<AttributeRule attributeID="eduPersonScopedAffiliation">
			<PermitValueRule xsi:type="ANY" />
        		</AttributeRule>
</AttributeFilterPolicy>

<!-- GEANT Data protection Code of Conduct		<AttributeRule attributeID="schacHomeOrganization">
			<PermitValueRule xsi:type="ANY"/>
		</AttributeRule>
	</AttributeFilterPolicy>

	<!-- REFEDS Pseudonymous Authorization Entity Category -->
<AttributeFilterPolicy id="releaseToCoCo">
        	<!-- Supports data minimalisation to prevent use together with anonymous -->
	<AttributeFilterPolicy id="releaseToRefedsPseudonymous">
		<PolicyRequirementRule xsi:type="EntityAttributeExactMatchAND">
                			<Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category"
                attributeValue="httphttps://wwwrefeds.geant.netorg/uri/dataprotection-code-of-conduct/v1category/pseudonymous" />
        <AttributeRule attributeID="eduPersonTargetedID			<Rule xsi:type="NOT">
                <PermitValueRule 				<Rule xsi:type="EntityAttributeExactMatch" attributeName="AttributeInMetadatahttp://macedir.org/entity-category" onlyIfRequiredattributeValue="truehttps://refeds.org/category/anonymous" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonPrincipalName">
                
			</Rule>
		</PolicyRequirementRule>
		<AttributeRule attributeID="samlPairwiseID">
			<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" ANY"/>
        		</AttributeRule>
		<!-- Deprecated, unlikely to be used in the future
        <AttributeRule attributeID="eduPersonUniqueIdeduPersonScopedAffiliation">
                			<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" ANY"/>
        		</AttributeRule>
        -->
        		<AttributeRule attributeID="eduPersonOrcidschacHomeOrganization">
                			<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" ANY"/>
        		</AttributeRule>
        		<AttributeRule attributeID="norEduPersonNINeduPersonAssurance">
                			<PermitValueRule xsi:type="ANDANY" />
		</AttributeRule>
	</AttributeFilterPolicy>

	<!-- REFEDS Personalized Access                     <RuleEntity Category	-->
	<!-- Supports data minimalisation to prevent use together with anonymous and pseudonymous-->
	<AttributeFilterPolicy id="releaseToRefedsPersonalized">
		<PolicyRequirementRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
                        AND">
			<Rule xsi:type="RegistrationAuthorityEntityAttributeExactMatch" registrarsattributeName="http://wwwmacedir.swamid.se/org/entity-category" />
                </PermitValueRule>
        </AttributeRule>
        <AttributeRule attributeID="personalIdentityNumber">
                <PermitValueRule attributeValue="https://refeds.org/category/personalized" />
			<Rule xsi:type="NOT">
				<Rule xsi:type="OR">
					<Rule xsi:type="ANDEntityAttributeExactMatch">
                        <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
                         attributeName="http://macedir.org/entity-category" attributeValue="https://refeds.org/category/anonymous" />
					<Rule xsi:type="RegistrationAuthorityEntityAttributeExactMatch" registrarsattributeName="http://www.swamid.se/macedir.org/entity-category" attributeValue="https://refeds.org/category/pseudonymous" />
                </PermitValueRule>
        </AttributeRule>
        				</Rule>
			</Rule>
		</PolicyRequirementRule>
		<AttributeRule attributeID="schacDateOfBirthsamlSubjectID">
                			<PermitValueRule xsi:type="AttributeInMetadataANY" onlyIfRequired="true" />
        		</AttributeRule>
        		<AttributeRule attributeID="maildisplayName">
                <PermitValueRule xsi:			<PermitValueRule xsi:type="AttributeInMetadataANY" onlyIfRequired="true" />
        		</AttributeRule>
        		<AttributeRule attributeID="cngivenName">
                			<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true"ANY" />
        </AttributeRule>
        		</AttributeRule>
		<AttributeRule attributeID="displayNamesn">
                			<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="trueANY" />
        		</AttributeRule>
        		<AttributeRule attributeID="givenNamemail">
			<PermitValueRule                xsi:type="ANY" />
		</AttributeRule>
		<AttributeRule attributeID="eduPersonAssurance">
			<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true"ANY" />
        		</AttributeRule>
        		<AttributeRule attributeID="snschacHomeOrganization">
                			<PermitValueRule xsi:type="AttributeInMetadataANY" onlyIfRequired="true" />
        		</AttributeRule>
        		<AttributeRule attributeID="eduPersonAssuranceeduPersonScopedAffiliation">
			<PermitValueRule                <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="truexsi:type="OR">
				<Rule xsi:type="Value" value="faculty" caseSensitive="false" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonScopedAffiliation">
                <PermitValueRule 				<Rule xsi:type="Value" value="student" caseSensitive="false"/>
				<Rule xsi:type="Value" value="staff" caseSensitive="false"/>
				<Rule xsi:type="ANDValue">
                         value="alum" caseSensitive="false"/>
				<Rule xsi:type="AttributeInMetadataValue" onlyIfRequiredvalue="truemember" caseSensitive="false"/>
                        				<Rule xsi:type="ORValue">
                                 value="affiliate" caseSensitive="false"/>
				<Rule xsi:type="Value" value="facultyemployee" ignoreCasecaseSensitive="truefalse" />
				<Rule xsi:type="Value"                               <Rule xsi:type="Value" value="student" ignoreCase="true" />
                                <Rule xsi:type="Value" value="staff" ignoreCase="true" />
                                value="library-walk-in" caseSensitive="false"/>
			</PermitValueRule>
		</AttributeRule>
	</AttributeFilterPolicy>

	<!-- Rule to honour Subject ID requirement tag in metadata. Used in combination with Geant/Refeds Code of Conduct v* -->
	<!-- Code of Conduct can be combined with other entity categories -->
	<!-- Supports data minimalisation to prevent subject-id and pairwise-id being released together -->
	<AttributeFilterPolicy id="subject-identifiers">
		<PolicyRequirementRule xsi:type="OR">
			<Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" />
			<Rule xsi:type="ValueEntityAttributeExactMatch" value="alum" ignoreCase="trueattributeName="http://macedir.org/entity-category" attributeValue="https://refeds.org/category/code-of-conduct/v2" />
		</PolicyRequirementRule>
		<AttributeRule                                <Rule attributeID="samlPairwiseID">
			<PermitValueRule xsi:type="Value" value="member" ignoreCase="true" />
                                AND">
				<Rule xsi:type="NOT">
					<Rule xsi:type="ValueEntityAttributeExactMatch" valueattributeName="affiliatehttp://macedir.org/entity-category" ignoreCaseattributeValue="true" />
                                https://refeds.org/category/personalized" />
				</Rule>
				<Rule xsi:type="Value" value="employee" ignoreCase="true" />
                                <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
                        </Rule>
                </PermitValueRule>
        </AttributeRule>
        <AttributeRule attributeID="eduPersonAffiliation">
                <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        <AttributeRule attributeID="o">
                <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        <AttributeRule attributeID="norEduOrgAcronym">
                <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        <AttributeRule attributeID="c">
                <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        <AttributeRule attributeID="co">
                <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        <AttributeRule attributeID="schacHomeOrganization">
                <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        <AttributeRule attributeID="schacHomeOrganizationType">
                <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
</AttributeFilterPolicy>

<!-- REFEDS Research and Schoolarship -->
<AttributeFilterPolicy id="releaseToRandS">
        <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
                attributeName="http://macedir.org/entity-category"
                attributeValue="http://refeds.org/category/research-and-scholarship" />
<!-- Alternative configuration examples for ePTID. See the static variables section of the attribute resolver.
        <AttributeRule attributeID="eduPersonTargetedID">
                <PermitValueRule xsi:type="NOT">
                        <Rule xsi:type="Value" value="https://refeds.org/assurance/ID/eppn-unique-no-reassign" attributeID="eduPersonAssurance" />
                </PermitValueRule>
        </AttributeRule>
-->
<!--
        <AttributeRule attributeID="eduPersonTargetedID">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
-->
        <AttributeRule attributeID="displayName">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="givenName">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="sn">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="mail">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
		<!-- Deprecated, unlikely to be used in the future
        <AttributeRule attributeID="eduPersonUniqueId">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        -->
        <AttributeRule attributeID="eduPersonAssurance">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonPrincipalName">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonScopedAffiliation">
                <PermitValueRuleOR">
					<Rule xsi:type="EntityAttributeExactMatch" attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="pairwise-id" />
					<Rule xsi:type="EntityAttributeExactMatch" attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="any" />
				</Rule>
			</PermitValueRule>
		</AttributeRule>
		<AttributeRule attributeID="samlSubjectID">
			<PermitValueRule xsi:type="AND">
				<Rule xsi:type="NOT">
					<Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="https://refeds.org/category/pseudonymous" />
				</Rule>
				<Rule xsi:type="EntityAttributeExactMatch" attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="subject-id" />
			</PermitValueRule>
		</AttributeRule>
	</AttributeFilterPolicy>

	<!-- GEANT Data protection Code of Conduct or REFEDS Data Protection Code of Conduct Entity Category -->
	<AttributeFilterPolicy id="releaseToCodeOfConduct">
		<PolicyRequirementRule xsi:type="OR">
			<Rule xsi:type="EntityAttributeExactMatch"                       attributeName="http://macedir.org/entity-category" attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" />
			<Rule xsi:type="ValueEntityAttributeExactMatch" valueattributeName="facultyhttp://macedir.org/entity-category" ignoreCase="true" />
                        <RuleattributeValue="https://refeds.org/category/code-of-conduct/v2" />
		</PolicyRequirementRule>
		<AttributeRule attributeID="eduPersonTargetedID">
			<PermitValueRule xsi:type="ValueAttributeInMetadata" valueonlyIfRequired="student" ignoreCase="true" />
                        <Ruletrue" />
		</AttributeRule>
		<AttributeRule attributeID="eduPersonPrincipalName">
			<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
		</AttributeRule>
		<AttributeRule attributeID="eduPersonOrcid">
			<PermitValueRule xsi:type="ValueAttributeInMetadata" valueonlyIfRequired="staff" ignoreCase="true" />
                        <Ruletrue" />
		</AttributeRule>
		<AttributeRule attributeID="norEduPersonNIN">
			<PermitValueRule xsi:type="Value" value="alum" ignoreCaseAND">
				<Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
                        				<Rule xsi:type="ValueRegistrationAuthority" valueregistrars="member" ignoreCase="true" />
                        <Rule http://www.swamid.se/" />
			</PermitValueRule>
		</AttributeRule>
		<AttributeRule attributeID="personalIdentityNumber">
			<PermitValueRule xsi:type="Value" value="affiliate" ignoreCase="true" />
                        AND">
				<Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
				<Rule xsi:type="ValueRegistrationAuthority" valueregistrars="employee" ignoreCase="true" />
                        <Rulehttp://www.swamid.se/" />
			</PermitValueRule>
		</AttributeRule>
		<AttributeRule attributeID="schacDateOfBirth">
			<PermitValueRule xsi:type="ValueAttributeInMetadata" valueonlyIfRequired="library-walk-in" ignoreCase="true" />
                </PermitValueRule>
        		</AttributeRule>
</AttributeFilterPolicy>

<!-- ESI European Student Identifier -->
<AttributeFilterPolicy id="entity-category-european-student-identifier">
        <PolicyRequirementRule 		<AttributeRule attributeID="mail">
			<PermitValueRule xsi:type="EntityAttributeExactMatchAttributeInMetadata"
 onlyIfRequired="true"               attributeName="http://macedir.org/entity-category"
                attributeValue="https://myacademicid.org/entity-categories/esi" />
        />
		</AttributeRule>
		<AttributeRule attributeID="cn">
			<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
		</AttributeRule>
		<AttributeRule attributeID="schacPersonalUniqueCodedisplayName">
			<PermitValueRule xsi:type="AttributeInMetadata"                onlyIfRequired="true" />
		</AttributeRule>
		<AttributeRule attributeID="givenName">
			<PermitValueRule xsi:type="ValueRegexAttributeInMetadata" regexonlyIfRequired="^urn:schac:PersonalUniqueCode:int:esi:.*true" />
        		</AttributeRule>
</AttributeFilterPolicy>

<!-- DEPRECATED entity-category-swamid-research-and-education WILL BE REMOVED 2020-10-31 -->
<AttributeFilterPolicy id="entity-category-research-and-education">
        <PolicyRequirementRule xsi:type="AND">
                <Rule		<AttributeRule attributeID="sn">
			<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
		</AttributeRule>
		<AttributeRule attributeID="eduPersonAssurance">
			<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
		</AttributeRule>
		<AttributeRule attributeID="eduPersonScopedAffiliation">
			<PermitValueRule xsi:type="ORAND">
                        				<Rule xsi:type="EntityAttributeExactMatchAttributeInMetadata"
                                attributeName="http://macedir.org/entity-category"
                                attributeValue="http://www.swamid.se/category/eu-adequate-protection" />
                         onlyIfRequired="true" />
				<Rule xsi:type="OR">
					<Rule xsi:type="Value" value="faculty" caseSensitive="false" />
					<Rule xsi:type="Value" value="student" caseSensitive="false" />
					<Rule xsi:type="Value" value="staff" caseSensitive="false" />
					<Rule xsi:type="EntityAttributeExactMatchValue"
                                attributeName="http://macedir.org/entity-category"
                                attributeValue="http://www.swamid.se/category/nren-service" />
                        <Rulevalue="alum" caseSensitive="false" />
					<Rule xsi:type="Value" value="member" caseSensitive="false" />
					<Rule xsi:type="Value" value="affiliate" caseSensitive="false" />
					<Rule xsi:type="Value" value="employee" caseSensitive="false" />
					<Rule xsi:type="Value" value="library-walk-in" caseSensitive="false" />
				</Rule>
			</PermitValueRule>
		</AttributeRule>
		<AttributeRule attributeID="eduPersonAffiliation">
			<PermitValueRule xsi:type="EntityAttributeExactMatchAttributeInMetadata"
                                attributeName="http://macedir.org/entity-category"
                                attributeValue="http://www.swamid.se/category/hei-service" />
                </Rule>
                <Rule onlyIfRequired="true" />
		</AttributeRule>
		<AttributeRule attributeID="o">
			<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
		</AttributeRule>
		<AttributeRule attributeID="norEduOrgAcronym">
			<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
		</AttributeRule>
		<AttributeRule attributeID="c">
			<PermitValueRule xsi:type="EntityAttributeExactMatchAttributeInMetadata"
                        attributeName="http://macedir.org/entity-category"
                        attributeValue="http://www.swamid.se/category/research-and-education" />
        </PolicyRequirementRule>
        <AttributeRule attributeID="givenName">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="sn">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="displayName">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="cn">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonPrincipalName">
                onlyIfRequired="true" />
		</AttributeRule>
		<AttributeRule attributeID="co">
			<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
		</AttributeRule>
		<AttributeRule attributeID="schacHomeOrganization">
			<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
		</AttributeRule>
		<AttributeRule attributeID="schacHomeOrganizationType">
			<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
		</AttributeRule>
	</AttributeFilterPolicy>

	<!-- REFEDS Research and Scholarship Entity Category -->
	<AttributeFilterPolicy id="releaseToRefedsResearchAndScholarship">
		<PolicyRequirementRule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship" />
		<AttributeRule attributeID="eduPersonTargetedID">
			<PermitValueRule xsi:type="NOT">
				<Rule xsi:type="Value" value="https://refeds.org/assurance/ID/eppn-unique-no-reassign" attributeID="eduPersonAssurance" />
			</PermitValueRule>
		</AttributeRule>
		<AttributeRule attributeID="displayName">
			<PermitValueRule xsi:type="ANY" />
        		</AttributeRule>
        		<AttributeRule attributeID="eduPersonAssurancegivenName">
			<PermitValueRule                xsi:type="ANY" />
		</AttributeRule>
		<AttributeRule attributeID="sn">
			<PermitValueRule xsi:type="ANY" />
        		</AttributeRule>
        		<AttributeRule attributeID="mail">
                			<PermitValueRule xsi:type="ANY" />
		</AttributeRule>
		<AttributeRule        attributeID="eduPersonAssurance">
			<PermitValueRule xsi:type="ANY" />
		</AttributeRule>
        		<AttributeRule attributeID="eduPersonScopedAffiliationeduPersonPrincipalName">
                			<PermitValueRule xsi:type="ORANY">
                        <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
                         />
		</AttributeRule>
		<AttributeRule attributeID="eduPersonScopedAffiliation">
			<PermitValueRule xsi:type="OR">
				<Rule xsi:type="Value" value="studentfaculty" ignoreCasecaseSensitive="truefalse" />
                        				<Rule xsi:type="Value" value="student" caseSensitive="false" />
				<Rule xsi:type="Value" value="staff" ignoreCasecaseSensitive="truefalse" />
                        				<Rule xsi:type="Value" value="alum" ignoreCasecaseSensitive="truefalse" />
                        				<Rule xsi:type="Value" value="member" ignoreCasecaseSensitive="truefalse" />
                        				<Rule xsi:type="Value" value="affiliate" ignoreCasecaseSensitive="truefalse" />
				<Rule xsi:type="Value" value="employee"                      caseSensitive="false" />
				<Rule xsi:type="Value" value="employeelibrary-walk-in" ignoreCasecaseSensitive="truefalse" />
			</PermitValueRule>
		</AttributeRule>
	</AttributeFilterPolicy>

	<!-- ESI European Student Identifier                    <Rule-->
	<AttributeFilterPolicy id="entity-category-european-student-identifier">
		<PolicyRequirementRule xsi:type="ValueEntityAttributeExactMatch" valueattributeName="library-walk-in" ignoreCase="truehttp://macedir.org/entity-category" attributeValue="https://myacademicid.org/entity-categories/esi" />
                </PermitValueRule>
        </AttributeRule>
        		<AttributeRule attributeID="oschacPersonalUniqueCode">
                			<PermitValueRule xsi:type="ANYValueRegex" regex="^urn:schac:personalUniqueCode:int:esi:.*" />
        		</AttributeRule>
	</AttributeFilterPolicy>

	<!-- DEPRECATED       <AttributeRule attributeID="norEduOrgAcronym">
                <PermitValueRule entity-category-swamid-research-and-education -->
	<AttributeFilterPolicy id="entity-category-research-and-education">
		<PolicyRequirementRule xsi:type="ANYAND" />
        </AttributeRule>
        <AttributeRule attributeID="c">
                <PermitValueRule 			<Rule xsi:type="OR">
				<Rule xsi:type="ANYEntityAttributeExactMatch" />
        </AttributeRule>
        <AttributeRule attributeID="co">
                <PermitValueRule attributeName="http://macedir.org/entity-category" attributeValue="http://www.swamid.se/category/eu-adequate-protection" />
				<Rule xsi:type="ANYEntityAttributeExactMatch" />
        </AttributeRule>
        <AttributeRule attributeID="schacHomeOrganization">
                <PermitValueRule attributeName="http://macedir.org/entity-category" attributeValue="http://www.swamid.se/category/nren-service" />
				<Rule xsi:type="ANYEntityAttributeExactMatch" />
        </AttributeRule>
</AttributeFilterPolicy>

<!-- DEPRECATED entity-category-sfs-1993-1153 WILL BE REMOVED 2020-10-31-->
<AttributeFilterPolicy id="entity-category-sfs-1993-1153">
        <PolicyRequirementRuleattributeName="http://macedir.org/entity-category" attributeValue="http://www.swamid.se/category/hei-service" />
			</Rule>
			<Rule xsi:type="EntityAttributeExactMatch"
                        attributeName="http://macedir.org/entity-category"
                        attributeValue="http://www.swamid.se/category/sfsresearch-1993and-1153education" />

        		</PolicyRequirementRule>
		<AttributeRule attributeID="norEduPersonNINgivenName">
                			<PermitValueRule xsi:type="ANY" />
        		</AttributeRule>
        <AttributeRule attributeID="eduPersonAssurance">
                		<AttributeRule attributeID="sn">
			<PermitValueRule xsi:type="ANY" />
        		</AttributeRule>
</AttributeFilterPolicy>

<!-- Examples of entityId based release to Service Providers -->

<!-- Release to testshib.org -->
<!--
<AttributeFilterPolicy id="testShib">
        <PolicyRequirementRule		<AttributeRule attributeID="displayName">
			<PermitValueRule xsi:type="ANY" />
		</AttributeRule>
		<AttributeRule attributeID="cn">
			<PermitValueRule xsi:type="Requester" value="https://sp.testshib.org/shibboleth-spANY" />

        		</AttributeRule>
		<AttributeRule attributeID="givenNameeduPersonPrincipalName">
                			<PermitValueRule xsi:type="ANY" />
        		</AttributeRule>

        		<AttributeRule attributeID="commonNameeduPersonAssurance">
                			<PermitValueRule xsi:type="ANY" />
        		</AttributeRule>

        		<AttributeRule attributeID="surnamemail">
                			<PermitValueRule xsi:type="ANY" />
        		</AttributeRule>

        		<AttributeRule attributeID="principaleduPersonScopedAffiliation">
			<PermitValueRule xsi:type="OR">
				<Rule xsi:type="Value" value="faculty"             <PermitValueRulecaseSensitive="false" />
				<Rule xsi:type="ANY"Value" value="student" caseSensitive="false" />
				<Rule xsi:type="Value"       </AttributeRule>

</AttributeFilterPolicy>
-->




<!-- NyA-webben UHR -->
<!--
<AttributeFilterPolicy id="releaseNyAwebbenEntitlement">
        <PolicyRequirementRulevalue="staff" caseSensitive="false" />
				<Rule xsi:type="Value" value="alum" caseSensitive="false" />
				<Rule xsi:type="ORValue">
 value="member"               caseSensitive="false" />
				<Rule xsi:type="RequesterValue" value="https://expert.antagning.se/ecs-spaffiliate" caseSensitive="false" />
                				<Rule xsi:type="RequesterValue" value="https://expert.testa.antagning.se/ecs-sp="employee" caseSensitive="false" />
                				<Rule xsi:type="Value" value="Requesterlibrary-walk-in" valuecaseSensitive="https://expert.testb.antagning.se/ecs-spfalse" />
        			</PolicyRequirementRule>PermitValueRule>

        		</AttributeRule>
		<AttributeRule attributeID="NyAwebbenEntitlemento">
			<PermitValueRule                xsi:type="ANY" />
		</AttributeRule>
		<AttributeRule attributeID="norEduOrgAcronym">
			<PermitValueRule xsi:type="ANY" />
        		</AttributeRule>
</AttributeFilterPolicy>
-->




<!--  TCS - Digicert until 2020-04-30 -->
<!--  New TCS Personal -->
<!--
<AttributeFilterPolicy id="releaseTcsPersonalEntitlement">
        <PolicyRequirementRule xsi:type="Requester" value="https://www.digicert.com/sso" />

        <AttributeRule attributeID="displayName">
                		<AttributeRule attributeID="co">
			<PermitValueRule xsi:type="ANY" />
		</AttributeRule>
		<AttributeRule attributeID="c">
			<PermitValueRule xsi:type="ANY" />
		</AttributeRule>
		<AttributeRule attributeID="schacHomeOrganization">
			<PermitValueRule xsi:type="ANY" />
        		</AttributeRule>
	</AttributeFilterPolicy>

	<!-- DEPRECATED entity-category-sfs-1993-1153      <AttributeRule attributeID="eduPersonPrincipalName">
                <PermitValueRule-->
	<AttributeFilterPolicy id="entity-category-sfs-1993-1153">
		<PolicyRequirementRule xsi:type="ANYEntityAttributeExactMatch"/>
        </AttributeRule>
        <AttributeRule attributeID="tcsPersonalEntitlement">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
         attributeName="http://macedir.org/entity-category" attributeValue="http://www.swamid.se/category/sfs-1993-1153" />
		<AttributeRule attributeID="mailnorEduPersonNIN">
                			<PermitValueRule xsi:type="ANY" />
        		</AttributeRule>
        		<AttributeRule attributeID="schacHomeOrganizationeduPersonAssurance">
                			<PermitValueRule xsi:type="ANY" />
        		</AttributeRule>
</AttributeFilterPolicy>
-->



<!--  TCS - Sectigo 2020-05-01 and forward -->
<!--  Please see https://wiki.sunet.se/display/SWAMID/SAML-konfiguration+Sunet+TCS -->
	</AttributeFilterPolicy>

	<!--  for information on how to create a resolver for tcsPersonalEntitlement.      Sectigo -->
<!--
	<AttributeFilterPolicy id="releaseSectigoAttributeBundle">
        		<PolicyRequirementRule xsi:type="Requester" value="https://cert-manager.com/shibboleth" />

        <AttributeRule attributeID="eduPersonPrincipalName">
                		<AttributeRule attributeID="eduPersonPrincipalName">
			<PermitValueRule xsi:type="ANY"/>
        		</AttributeRule>
        		<AttributeRule attributeID="displayName">
                			<PermitValueRule xsi:type="ANY" />
        		</AttributeRule>
        		<AttributeRule attributeID="givenName">
                			<PermitValueRule xsi:type="ANY" />
        		</AttributeRule>
        		<AttributeRule attributeID="mail">
                			<PermitValueRule xsi:type="ANY" />
        		</AttributeRule>
        		<AttributeRule attributeID="sn">
                			<PermitValueRule xsi:type="ANY"/>
        		</AttributeRule>
        		<AttributeRule attributeID="schacHomeOrganization">
                			<PermitValueRule xsi:type="ANY"/>
        		</AttributeRule>
        		<AttributeRule attributeID="tcsPersonalEntitlement">
                	<PermitValueRule xsi:type="ANY"/>
        	</AttributeRule>
<   </AttributeFilterPolicy>
-->


 <!-- PLACEHOLDER DO NOT REMOVE -->
</AttributeFilterPolicyGroup>

...