...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="UTF-8"?> <AttributeFilterPolicyGroup id="ShibbolethFilterPolicy" xmlns="urn:mace:shibboleth:2.0:afp" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd"> <!-- REFEDS Anonymous Authorization Entity Category --> <AttributeFilterPolicy id="releaseToRefedsAnonymous"> <PolicyRequirementRule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="https://refeds.org/category/anonymous" /> <AttributeRule attributeID="eduPersonScopedAffiliation"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <AttributeRule attributeID="schacHomeOrganization"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> </AttributeFilterPolicy> <!-- REFEDS Pseudonymous Authorization Entity Category --> <AttributeFilterPolicy id="releaseToRefedsPseudonymous"> <PolicyRequirementRule xsi:type="EntityAttributeExactMatch" <!-- Supports data minimalisation to prevent use together with anonymous --> <AttributeFilterPolicy id="releaseToRefedsPseudonymous"> <PolicyRequirementRule xsi:type="AND"> <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="https://refeds.org/category/pseudonymous" /> <AttributeRule<Rule attributeIDxsi:type="samlPairwiseIDNOT"> <PermitValueRule<Rule xsi:type="ANY"/> EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="https://refeds.org/category/anonymous" /> </Rule> </PolicyRequirementRule> <AttributeRule attributeID="samlPairwiseID"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <AttributeRule attributeID="eduPersonScopedAffiliation"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <AttributeRule attributeID="schacHomeOrganization"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> <AttributeRule attributeID="eduPersonAssurance"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> </AttributeFilterPolicy> <!-- REFEDS Personalized Access Entity Category --> <AttributeFilterPolicy <!-- Supports data minimalisation to prevent use together with anonymous and pseudonymous--> <AttributeFilterPolicy id="releaseToRefedsPersonalized"> <PolicyRequirementRule xsi:type="EntityAttributeExactMatchAND"> <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="https://refeds.org/category/personalized" /> <AttributeRule<Rule attributeIDxsi:type="samlSubjectIDNOT"> <PermitValueRule<Rule xsi:type="ANYOR" /> </AttributeRule> <AttributeRule attributeID="displayName"> <PermitValueRule <Rule xsi:type="ANYEntityAttributeExactMatch" /> </AttributeRule> <AttributeRule attributeID="givenName"attributeName="http://macedir.org/entity-category" attributeValue="https://refeds.org/category/anonymous" /> <PermitValueRule <Rule xsi:type="ANY" />EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="https://refeds.org/category/pseudonymous" /> </Rule> </AttributeRule>Rule> </PolicyRequirementRule> <AttributeRule attributeID="snsamlSubjectID"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="maildisplayName"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonAssurancegivenName"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="schacHomeOrganizationsn"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonScopedAffiliationmail"> <PermitValueRule xsi:type="ORANY" /> </AttributeRule> <Rule<AttributeRule xsi:typeattributeID="Value" value="faculty" caseSensitive="false" /eduPersonAssurance"> <Rule<PermitValueRule xsi:type="ValueANY" value="student" caseSensitive="false"/> </AttributeRule> <Rule<AttributeRule xsi:typeattributeID="Value" value="staff" caseSensitive="false"/schacHomeOrganization"> <Rule<PermitValueRule xsi:type="Value" ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonScopedAffiliation"> <PermitValueRule xsi:type="OR"> <Rule xsi:type="Value" value="alumfaculty" caseSensitive="false" /> <Rule xsi:type="Value" value="memberstudent" caseSensitive="false"/> <Rule xsi:type="Value" value="affiliatestaff" caseSensitive="false"/> <Rule xsi:type="Value" value="employeealum" caseSensitive="false"/> <Rule xsi:type="Value" value="library-walk-inmember" caseSensitive="false"/> </PermitValueRule> </AttributeRule> </AttributeFilterPolicy> <!-- GEANT Data protection Code of Conduct or REFEDS Data Protection Code of Conduct Entity Category --> <AttributeFilterPolicy id="releaseToCodeOfConduct"> <PolicyRequirementRule xsi:type="OR"> <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" /> <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="https://refeds.org/category/code-of-conduct/v2" /> </PolicyRequirementRule> <AttributeRule attributeID="eduPersonTargetedID"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="eduPersonOrcid"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="norEduPersonNIN"> <PermitValueRule xsi:type="AND"> <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> <Rule xsi:type="RegistrationAuthority" registrars="http://www.swamid.se/" /> </PermitValueRule> </AttributeRule> <AttributeRule attributeID="personalIdentityNumber"> <PermitValueRule xsi:type="AND"> <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> <Rule xsi:type="RegistrationAuthority" registrars="http://www.swamid.se/" /> </PermitValueRule> </AttributeRule> <AttributeRule attributeID="schacDateOfBirth"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="mail"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="cn"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="displayName"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true <Rule xsi:type="Value" value="affiliate" caseSensitive="false"/> <Rule xsi:type="Value" value="employee" caseSensitive="false"/> <Rule xsi:type="Value" value="library-walk-in" caseSensitive="false"/> </PermitValueRule> </AttributeRule> </AttributeFilterPolicy> <!-- Rule to honour Subject ID requirement tag in metadata. Used in combination with Geant/Refeds Code of Conduct v* --> <!-- Code of Conduct can be combined with other entity categories --> <!-- Supports data minimalisation to prevent subject-id and pairwise-id being released together --> <AttributeFilterPolicy id="subject-identifiers"> <PolicyRequirementRule xsi:type="OR"> <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" /> <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="https://refeds.org/category/code-of-conduct/v2" /> </AttributeRule>PolicyRequirementRule> <AttributeRule attributeID="snsamlPairwiseID"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /AND"> </AttributeRule> <AttributeRule<Rule attributeIDxsi:type="eduPersonAssuranceNOT"> <PermitValueRule<Rule xsi:type="EntityAttributeExactMatch" attributeName="AttributeInMetadatahttp://macedir.org/entity-category" onlyIfRequiredattributeValue="truehttps://refeds.org/category/personalized" /> </AttributeRule>Rule> <AttributeRule attributeID="eduPersonScopedAffiliation"> <PermitValueRule<Rule xsi:type="ANDOR"> <Rule xsi:type="AttributeInMetadataEntityAttributeExactMatch" onlyIfRequired="true" /> <Rule xsi:type="OR"> <Rule xsi:type="Value" value="faculty" caseSensitive="falseattributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="pairwise-id" /> <Rule xsi:type="Value" value="student" caseSensitive="falseEntityAttributeExactMatch" attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="any" /> <Rule xsi:type="Value" value="staff" caseSensitive="false" /></Rule> <Rule xsi:type="Value" value="alum" caseSensitive="false" /</PermitValueRule> </AttributeRule> <AttributeRule attributeID="samlSubjectID"> <Rule<PermitValueRule xsi:type="Value" value="member" caseSensitive="false" /AND"> <Rule xsi:type="Value" value="affiliate" caseSensitive="false" /NOT"> <Rule xsi:type="ValueEntityAttributeExactMatch" valueattributeName="employeehttp://macedir.org/entity-category" caseSensitiveattributeValue="falsehttps://refeds.org/category/pseudonymous" /> </Rule> <Rule xsi:type="ValueEntityAttributeExactMatch" valueattributeName="library-walk-in" caseSensitive="falseurn:oasis:names:tc:SAML:profiles:subject-id:req" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="subject-id" /> </Rule>PermitValueRule> </PermitValueRule>AttributeRule> </AttributeRule> <AttributeRule attributeID="eduPersonAffiliation"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="oAttributeFilterPolicy> <!-- GEANT Data protection Code of Conduct or REFEDS Data Protection Code of Conduct Entity Category --> <AttributeFilterPolicy id="releaseToCodeOfConduct"> <PolicyRequirementRule xsi:type="OR"> <PermitValueRule<Rule xsi:type="EntityAttributeExactMatch" attributeName="AttributeInMetadata" onlyIfRequired="true"http://macedir.org/entity-category" attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" /> </AttributeRule> <AttributeRule attributeID="norEduOrgAcronym"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="https://refeds.org/category/code-of-conduct/v2" /> </AttributeRule>PolicyRequirementRule> <AttributeRule attributeID="ceduPersonTargetedID"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="coeduPersonPrincipalName"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="schacHomeOrganizationeduPersonOrcid"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="schacHomeOrganizationTypenorEduPersonNIN"> <PermitValueRule xsi:type="AND"> <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <Rule xsi:type="RegistrationAuthority" registrars="http://www.swamid.se/" /> </AttributeFilterPolicy> <!-- REFEDS Research and Scholarship Entity Category --> <AttributeFilterPolicy id="releaseToRefedsResearchAndScholarshipPermitValueRule> </AttributeRule> <AttributeRule attributeID="personalIdentityNumber"> <PolicyRequirementRule <PermitValueRule xsi:type="EntityAttributeExactMatchAND"> attributeName="http://macedir.org/entity-category"<Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> attributeValue <Rule xsi:type="RegistrationAuthority" registrars="http://refedswww.swamid.org/category/research-and-scholarshipse/" /> </PermitValueRule> </AttributeRule> <AttributeRule attributeID="eduPersonTargetedIDschacDateOfBirth"> <PermitValueRule xsi:type="NOT"> <Rule xsi:type="Value" value="https://refeds.org/assurance/ID/eppn-unique-no-reassign"AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="eduPersonAssurancemail" /> </PermitValueRule><PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="displayNamemailLocalAddress"> <PermitValueRule xsi:type="ANYAttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="givenNamecn"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="ANYtrue" /> </AttributeRule> <AttributeRule attributeID="sndisplayName"> <PermitValueRule xsi:type="ANY"AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="mailgivenName"> <PermitValueRule xsi:type="ANY"AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="eduPersonAssurancesn"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="ANYtrue" /> </AttributeRule> <AttributeRule attributeID="eduPersonPrincipalNameeduPersonAssurance"> <PermitValueRule xsi:type="ANYAttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="eduPersonScopedAffiliation"> <PermitValueRule xsi:type="ORAND"> <Rule xsi:type="ValueAttributeInMetadata" valueonlyIfRequired="facultytrue" caseSensitive/> <Rule xsi:type="falseOR" /> <Rule xsi:type="Value" value="studentfaculty" caseSensitive="false" /> <Rule xsi:type="Value" value="staffstudent" caseSensitive="false" /> <Rule xsi:type="Value" value="alumstaff" caseSensitive="false" /> <Rule xsi:type="Value" value="memberalum" caseSensitive="false" /> <Rule xsi:type="Value" value="affiliatemember" caseSensitive="false" /> <Rule xsi:type="Value" value="employeeaffiliate" caseSensitive="false" /> <Rule xsi:type="Value" value="library-walk-inemployee" caseSensitive="false" /> </PermitValueRule> </AttributeRule> </AttributeFilterPolicy> <!-- ESI European Student Identifier --> <AttributeFilterPolicy id="entity-category-european-student-identifier"> <PolicyRequirementRule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="https://myacademicid.org/entity-categories/esi" /><Rule xsi:type="Value" value="library-walk-in" caseSensitive="false" /> </Rule> </PermitValueRule> </AttributeRule> <AttributeRule attributeID="schacPersonalUniqueCodeeduPersonAffiliation"> <PermitValueRule xsi:type="ValueRegex" regex="^urn:schac:personalUniqueCode:int:esi:.*AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> </AttributeFilterPolicy> <!-- DEPRECATED entity-category-swamid-research-and-education --> <AttributeFilterPolicy id="entity-category-research-and-education <AttributeRule attributeID="o"> <PolicyRequirementRule <PermitValueRule xsi:type="AND""AttributeInMetadata" onlyIfRequired="true" /> <Rule xsi:type="OR</AttributeRule> <AttributeRule attributeID="norEduOrgAcronym"> <Rule<PermitValueRule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://www.swamid.se/category/eu-adequate-protection" /AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="c"> <Rule<PermitValueRule xsi:type="EntityAttributeExactMatch"AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> attributeName="http://macedir.org/entity-category"<AttributeRule attributeID="co"> attributeValue="http://www.swamid.se/category/nren-service<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="schacHomeOrganization"> <Rule<PermitValueRule xsi:type="EntityAttributeExactMatch"AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> attributeName="http://macedir.org/entity-category"<AttributeRule attributeID="schacHomeOrganizationType"> attributeValue="http://www.swamid.se/category/hei-service<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> </Rule> <RuleAttributeFilterPolicy> <!-- REFEDS Research and Scholarship Entity Category --> <AttributeFilterPolicy id="releaseToRefedsResearchAndScholarship"> <PolicyRequirementRule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://wwwrefeds.swamid.seorg/category/research-and-educationscholarship" /> </PolicyRequirementRule> <AttributeRule attributeID="givenNameeduPersonTargetedID"> <PermitValueRule xsi:type="ANYNOT" /> </AttributeRule> <AttributeRule attributeID="surname"> <PermitValueRule<Rule xsi:type="ANYValue" /> </AttributeRule> <AttributeRulevalue="https://refeds.org/assurance/ID/eppn-unique-no-reassign" attributeID="displayNameeduPersonAssurance" /> <PermitValueRule xsi:type="ANY" /></PermitValueRule> </AttributeRule> <AttributeRule attributeID="commonNamedisplayName"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonPrincipalNamegivenName"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonAssurancesn"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="mail"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonScopedAffiliation"> <PermitValueRule xsi:type="OR"> <Rule xsi:type="Value" value="faculty" caseSensitive="false" / <AttributeRule attributeID="eduPersonAssurance"> <Rule<PermitValueRule xsi:type="Value" value="student" caseSensitive="false" /ANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonPrincipalName"> <Rule<PermitValueRule xsi:type="Value" value="staff" caseSensitive="false" /> <RuleANY" /> </AttributeRule> <AttributeRule attributeID="eduPersonScopedAffiliation"> <PermitValueRule xsi:type="Value" value="alum" caseSensitive="false" /OR"> <Rule xsi:type="Value" value="memberfaculty" caseSensitive="false" /> <Rule xsi:type="Value" value="affiliatestudent" caseSensitive="false" /> <Rule xsi:type="Value" value="employeestaff" caseSensitive="false" /> <Rule xsi:type="Value" value="library-walk-inalum" caseSensitive="false" /> </PermitValueRule> </AttributeRule> <AttributeRule attributeID="o"> <PermitValueRule <Rule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="norEduOrgAcronym"> <PermitValueRuleValue" value="member" caseSensitive="false" /> <Rule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="co"Value" value="affiliate" caseSensitive="false" /> <PermitValueRule <Rule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="c"Value" value="employee" caseSensitive="false" /> <PermitValueRule <Rule xsi:type="Value" value="library-walk-in" caseSensitive="ANYfalse" /> </PermitValueRule> </AttributeRule> </AttributeFilterPolicy> <AttributeRule attributeID="schacHomeOrganization<!-- ESI European Student Identifier --> <AttributeFilterPolicy id="entity-category-european-student-identifier"> <PermitValueRule<PolicyRequirementRule xsi:type="ANYEntityAttributeExactMatch" /> </AttributeRule> </AttributeFilterPolicy> <!-- DEPRECATED entity-category-sfs-1993-1153 --> <AttributeFilterPolicy id="entity-category-sfs-1993-1153attributeName="http://macedir.org/entity-category" attributeValue="https://myacademicid.org/entity-categories/esi" /> <AttributeRule attributeID="schacPersonalUniqueCode"> <PolicyRequirementRule <PermitValueRule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://www.swamid.se/category/sfs-1993-1153" /> <AttributeRule attributeID="norEduPersonNINValueRegex" regex="^urn:schac:personalUniqueCode:int:esi:.*" /> </AttributeRule> </AttributeFilterPolicy> <!-- Sectigo --> <AttributeFilterPolicy id="releaseSectigoAttributeBundle"> <PermitValueRule<PolicyRequirementRule xsi:type="ANYRequester" value="https://cert-manager.com/shibboleth" /> </AttributeRule> <AttributeRule attributeID="eduPersonAssuranceeduPersonPrincipalName"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> </AttributeFilterPolicy> <!-- Sectigo --> <AttributeFilterPolicy id="releaseSectigoAttributeBundle <AttributeRule attributeID="displayName"> <PolicyRequirementRule <PermitValueRule xsi:type="RequesterANY" value="https://cert-manager.com/shibboleth" />/> </AttributeRule> <AttributeRule attributeID="eduPersonPrincipalNamegivenName"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="displayNamemail"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="givenNamesn"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="mailschacHomeOrganization"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="sntcsPersonalEntitlement"> <PermitValueRule xsi:type="ANY"/> </AttributeRule> < </AttributeFilterPolicy> <!-- PLACEHOLDER DO NOT REMOVE --> </AttributeFilterPolicyGroup> |
...