<?xml version="1.0" encoding="UTF-8"?>
<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
xmlns="urn:mace:shibboleth:2.0:afp"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
<!-- REFEDS Anonymous Authorization Entity Category -->
<AttributeFilterPolicy id="releaseToRefedsAnonymous">
<PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="https://refeds.org/category/anonymous" />
<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="schacHomeOrganization">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
</AttributeFilterPolicy>
<!-- REFEDS Pseudonymous Authorization Entity Category -->
<!-- Supports data minimalisation to prevent use together with anonymous -->
<AttributeFilterPolicy id="releaseToRefedsPseudonymous">
<PolicyRequirementRule xsi:type="EntityAttributeExactMatchAND">
<Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category"
attributeValue="https://refeds.org/category/pseudonymous" />
<AttributeRule<Rule attributeIDxsi:type="samlPairwiseIDNOT">
<PermitValueRule <Rule xsi:type="ANY"="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="https://refeds.org/category/anonymous" />
</AttributeRule>Rule>
</PolicyRequirementRule>
<AttributeRule attributeID="samlPairwiseID">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="schacHomeOrganization">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
<AttributeRule attributeID="eduPersonAssurance">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
<!-- REFEDS Personalized Access Entity Category -->
<!-- Supports data minimalisation to prevent use together with anonymous and pseudonymous-->
<AttributeFilterPolicy id="releaseToRefedsPersonalized">
<PolicyRequirementRule xsi:type="EntityAttributeExactMatchAND">
<Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category"
attributeValue="https://refeds.org/category/personalized" />
<AttributeRule attributeID <Rule xsi:type="samlSubjectIDNOT">
<PermitValueRule<Rule xsi:type="ANYOR" />
</AttributeRule>
<AttributeRule attributeID="displayName">
<PermitValueRule <Rule xsi:type="ANYEntityAttributeExactMatch" />
</AttributeRule>
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="ANYattributeName="http://macedir.org/entity-category" attributeValue="https://refeds.org/category/anonymous" />
<Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="https://refeds.org/category/pseudonymous" />
</AttributeRule>Rule>
<AttributeRule</Rule>
</PolicyRequirementRule>
<AttributeRule attributeID="snsamlSubjectID">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="maildisplayName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonAssurancegivenName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="schacHomeOrganizationsn">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonScopedAffiliationmail">
<PermitValueRule xsi:type="ORANY" />
</AttributeRule>
<Rule<AttributeRule xsi:typeattributeID="Value" value="faculty" caseSensitive="false" eduPersonAssurance">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<Rule<AttributeRule xsi:type="Value" value="student" caseSensitive="false"/attributeID="schacHomeOrganization">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="OR">
<Rule xsi:type="Value" value="stafffaculty" caseSensitive="false" />
<Rule xsi:type="Value" value="alumstudent" caseSensitive="false"/>
<Rule xsi:type="Value" value="memberstaff" caseSensitive="false"/>
<Rule xsi:type="Value" value="affiliatealum" caseSensitive="false"/>
<Rule xsi:type="Value" value="employeemember" caseSensitive="false"/>
<Rule xsi:type="Value" value="library-walk-inaffiliate" caseSensitive="false"/>
</PermitValueRule>
</ <Rule xsi:type="Value" value="employee" caseSensitive="false"/>
<Rule xsi:type="Value" value="library-walk-in" caseSensitive="false"/>
</PermitValueRule>
</AttributeRule>
</AttributeFilterPolicy>
<!-- GEANTRule Data protection Code of Conduct or REFEDS Data Protectionto honour Subject ID requirement tag in metadata. Used in combination with Geant/Refeds Code of Conduct Entity Categoryv* -->
<AttributeFilterPolicy id="releaseToCodeOfConduct">
<PolicyRequirementRule <!-- Code of Conduct can be combined with other entity categories -->
<!-- Supports data minimalisation to prevent subject-id and pairwise-id being released together -->
<AttributeFilterPolicy id="subject-identifiers">
<PolicyRequirementRule xsi:type="OR">
<Rule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" />
<Rule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="https://refeds.org/category/code-of-conduct/v2" />
</PolicyRequirementRule>
<AttributeRule attributeID="eduPersonTargetedIDsamlPairwiseID">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /AND">
</AttributeRule>
<AttributeRule<Rule attributeIDxsi:type="eduPersonPrincipalNameNOT">
<PermitValueRule <Rule xsi:type="EntityAttributeExactMatch" attributeName="AttributeInMetadatahttp://macedir.org/entity-category" onlyIfRequiredattributeValue="truehttps://refeds.org/category/personalized" />
</AttributeRule>Rule>
<AttributeRule<Rule attributeIDxsi:type="eduPersonOrcidOR">
<PermitValueRule<Rule xsi:type="AttributeInMetadata" onlyIfRequired="true="EntityAttributeExactMatch" attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="pairwise-id" />
</AttributeRule>
<AttributeRule attributeID="norEduPersonNIN">
<PermitValueRule xsi:type="AND">
<Rule xsi:type="AttributeInMetadataEntityAttributeExactMatch" onlyIfRequired="true" />
<Rule xsi:type="RegistrationAuthority" registrars="http://www.swamid.se/" />attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="any" />
</Rule>
</PermitValueRule>
</AttributeRule>
<AttributeRule attributeID="personalIdentityNumbersamlSubjectID">
<PermitValueRule xsi:type="AND">
<Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" /NOT">
<Rule xsi:type="RegistrationAuthorityEntityAttributeExactMatch" registrarsattributeName="http://wwwmacedir.swamid.se/org/entity-category" attributeValue="https://refeds.org/category/pseudonymous" />
</PermitValueRule>
</AttributeRule>Rule>
<AttributeRule attributeID="samlPairwiseID">
<PermitValueRule<Rule xsi:type="AttributeInMetadataEntityAttributeExactMatch" onlyIfRequiredattributeName="true" />
</AttributeRule>
<AttributeRule attributeID="schacDateOfBirth">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="trueurn:oasis:names:tc:SAML:profiles:subject-id:req" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="subject-id" />
</AttributeRule>PermitValueRule>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="cn</AttributeRule>
</AttributeFilterPolicy>
<!-- GEANT Data protection Code of Conduct or REFEDS Data Protection Code of Conduct Entity Category -->
<AttributeFilterPolicy id="releaseToCodeOfConduct">
<PolicyRequirementRule xsi:type="OR">
<PermitValueRule<Rule xsi:type="AttributeInMetadataEntityAttributeExactMatch" onlyIfRequiredattributeName="true" />
</AttributeRule>
<AttributeRule attributeID="displayName"http://macedir.org/entity-category" attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" />
<PermitValueRule<Rule xsi:type="AttributeInMetadataEntityAttributeExactMatch" onlyIfRequiredattributeName="truehttp://macedir.org/entity-category" />attributeValue="https://refeds.org/category/code-of-conduct/v2" />
</AttributeRule>PolicyRequirementRule>
<AttributeRule attributeID="givenNameeduPersonTargetedID">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="sneduPersonPrincipalName">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="eduPersonAssuranceeduPersonOrcid">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="eduPersonScopedAffiliationnorEduPersonNIN">
<PermitValueRule xsi:type="AND">
<Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
<Rule xsi:type="OR">
<Rule xsi:type="Value" value="faculty" caseSensitive="false" RegistrationAuthority" registrars="http://www.swamid.se/" />
</PermitValueRule>
<Rule xsi:type="Value" value="student" caseSensitive="false" /</AttributeRule>
<AttributeRule attributeID="personalIdentityNumber">
<Rule<PermitValueRule xsi:type="Value" value="staff" caseSensitive="false" /AND">
<Rule xsi:type="ValueAttributeInMetadata" valueonlyIfRequired="alumtrue" caseSensitive="false" />
<Rule xsi:type="ValueRegistrationAuthority" valueregistrars="memberhttp://www.swamid.se/" caseSensitive="false" />
</PermitValueRule>
</AttributeRule>
<Rule<AttributeRule xsi:typeattributeID="Value" value="affiliate" caseSensitive="falseschacDateOfBirth">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="mail">
<Rule<PermitValueRule xsi:type="ValueAttributeInMetadata" valueonlyIfRequired="employee" caseSensitive="false" /true" />
</AttributeRule>
<AttributeRule attributeID="mailLocalAddress">
<Rule<PermitValueRule xsi:type="ValueAttributeInMetadata" valueonlyIfRequired="library-walk-intrue" caseSensitive="false" />
</Rule>
</PermitValueRule>
</AttributeRule>
<AttributeRule attributeID="eduPersonAffiliationcn">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="odisplayName">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="norEduOrgAcronymgivenName">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="csn">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="coeduPersonAssurance">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="schacHomeOrganizationeduPersonScopedAffiliation">
<PermitValueRule xsi:type="AND">
<Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule<Rule attributeIDxsi:type="schacHomeOrganizationTypeOR">
<PermitValueRule <Rule xsi:type="AttributeInMetadataValue" value="faculty" onlyIfRequiredcaseSensitive="truefalse" />
</AttributeRule>
</AttributeFilterPolicy>
<!-- REFEDS Research and Scholarship Entity Category -->
<AttributeFilterPolicy id="releaseToRefedsResearchAndScholarship">
<PolicyRequirementRule <Rule xsi:type="Value" value="student" caseSensitive="false" />
<Rule xsi:type="Value" value="staff" caseSensitive="false" />
<Rule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarshipValue" value="alum" caseSensitive="false" />
<AttributeRule attributeID="eduPersonTargetedID">
<PermitValueRule<Rule xsi:type="Value" value="member" caseSensitive="NOTfalse" />
<Rule xsi:type="Value" value="https://refeds.org/assurance/ID/eppn-unique-no-reassign" attributeID="eduPersonAssuranceaffiliate" caseSensitive="false" />
</PermitValueRule>
</AttributeRule>
<AttributeRule attributeID="displayName">
<PermitValueRule xsi:type="ANY <Rule xsi:type="Value" value="employee" caseSensitive="false" />
</AttributeRule>
<AttributeRule<Rule attributeIDxsi:type="givenName">
<PermitValueRule xsi:type="ANYValue" value="library-walk-in" caseSensitive="false" />
</Rule>
</PermitValueRule>
</AttributeRule>
<AttributeRule attributeID="sneduPersonAffiliation">
<PermitValueRule xsi:type="ANY"AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="mailo">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="ANYtrue" />
</AttributeRule>
<AttributeRule attributeID="eduPersonAssurance">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="OR">
<Rule xsi:type="Value" value="faculty" caseSensitive="false" />
<Rule xsi:type="Value" value="student" caseSensitive="false" />
<Rule xsi:type="Value" value="staff" caseSensitive="false" />
<Rule xsi:type="Value" value="alum" caseSensitive="false" />
<Rule xsi:type="Value" value="member" caseSensitive="false" />
<Rule xsi:type="Value" value="affiliate" caseSensitive="false" />
<Rule xsi:type="Value" value="employee" caseSensitive="false" />
<Rule xsi:type="Value" value="library-walk-in" caseSensitive="false" />
</PermitValueRule>
</AttributeRule>
</AttributeFilterPolicy>
<!-- ESI European Student Identifier -->
<AttributeFilterPolicy id="entity-category-european-student-identifier">
<PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="https://myacademicid.org/entity-categories/esi" />
<AttributeRule attributeID="schacPersonalUniqueCode">
<PermitValueRule xsi:type="ValueRegex" regex="^urn:schac:personalUniqueCode:int:esi:.*" />
</AttributeRule>
</AttributeFilterPolicy>
<!-- DEPRECATED entity-category-swamid-research-and-education -->
<AttributeFilterPolicy id="entity-category-research-and-education">
<PolicyRequirementRule xsi:type="ANDnorEduOrgAcronym">
<Rule<PermitValueRule xsi:type="OR"AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<Rule<AttributeRule xsi:typeattributeID="EntityAttributeExactMatchc">
attributeName="http://macedir.org/entity-category"
attributeValue="http://www.swamid.se/category/eu-adequate-protection<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<Rule<AttributeRule xsi:typeattributeID="EntityAttributeExactMatchco">
attributeName="http://macedir.org/entity-category"
attributeValue="http://www.swamid.se/category/nren-service" /<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="schacHomeOrganization">
<Rule<PermitValueRule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://www.swamid.se/category/hei-service" />
</Rule>
<RuleAttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="schacHomeOrganizationType">
<PermitValueRule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://www.swamid.se/category/research-and-education" />
</PolicyRequirementRule>
<AttributeRule attributeID="givenNameAttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
</AttributeFilterPolicy>
<!-- REFEDS Research and Scholarship Entity Category -->
<AttributeFilterPolicy id="releaseToRefedsResearchAndScholarship">
<PermitValueRule<PolicyRequirementRule xsi:type="ANYEntityAttributeExactMatch" />
</AttributeRule>
<AttributeRule attributeID="surname">
<PermitValueRule xsi:type="ANY"attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship" />
</AttributeRule>
<AttributeRule attributeID="displayNameeduPersonTargetedID">
<PermitValueRule xsi:type="ANYNOT" />
</AttributeRule>
<AttributeRule <Rule xsi:type="Value" value="https://refeds.org/assurance/ID/eppn-unique-no-reassign" attributeID="commonNameeduPersonAssurance" />
<PermitValueRule xsi:type="ANY" /> </PermitValueRule>
</AttributeRule>
<AttributeRule attributeID="eduPersonPrincipalNamedisplayName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonAssurancegivenName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="mailsn">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonScopedAffiliationmail">
<PermitValueRule xsi:type="ORANY" />
<Rule xsi:type="Value" value="faculty" caseSensitive="false" /></AttributeRule>
<Rule xsi:type<AttributeRule attributeID="Value" value="student" caseSensitive="false" /eduPersonAssurance">
<Rule<PermitValueRule xsi:type="Value" value="staff" caseSensitive="false" /ANY" />
</AttributeRule>
<AttributeRule attributeID="eduPersonPrincipalName">
<Rule<PermitValueRule xsi:type="ValueANY" value="alum" caseSensitive="false" />
</AttributeRule>
<Rule<AttributeRule xsi:typeattributeID="Value" value="member" caseSensitive="false" /eduPersonScopedAffiliation">
<PermitValueRule xsi:type="OR">
<Rule xsi:type="Value" value="affiliatefaculty" caseSensitive="false" />
<Rule xsi:type="Value" value="employeestudent" caseSensitive="false" />
<Rule xsi:type="Value" value="library-walk-instaff" caseSensitive="false" />
</PermitValueRule>
</AttributeRule>
<AttributeRule attributeID="o">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="norEduOrgAcronym" <Rule xsi:type="Value" value="alum" caseSensitive="false" />
<PermitValueRule <Rule xsi:type="Value" value="member" caseSensitive="ANYfalse" />
</AttributeRule>
<AttributeRule attributeID="co">
<Rule xsi:type="Value" value="affiliate" caseSensitive="false" />
<PermitValueRule<Rule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="c"Value" value="employee" caseSensitive="false" />
<PermitValueRule <Rule xsi:type="Value" value="library-walk-in" caseSensitive="ANYfalse" />
</PermitValueRule>
</AttributeRule>
</AttributeFilterPolicy>
<AttributeRule attributeID="schacHomeOrganization"<!-- ESI European Student Identifier -->
<AttributeFilterPolicy id="entity-category-european-student-identifier">
<PermitValueRule<PolicyRequirementRule xsi:type="ANYEntityAttributeExactMatch" />
</AttributeRule>
</AttributeFilterPolicy>
<!-- DEPRECATED entity-category-sfs-1993-1153 -->
<AttributeFilterPolicy id="entity-category-sfs-1993-1153">
<PolicyRequirementRuleattributeName="http://macedir.org/entity-category" attributeValue="https://myacademicid.org/entity-categories/esi" />
<AttributeRule attributeID="schacPersonalUniqueCode">
<PermitValueRule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://www.swamid.se/category/sfs-1993-1153" />
<AttributeRule attributeID="norEduPersonNINValueRegex" regex="^urn:schac:personalUniqueCode:int:esi:.*" />
</AttributeRule>
</AttributeFilterPolicy>
<!-- Sectigo -->
<AttributeFilterPolicy id="releaseSectigoAttributeBundle">
<PermitValueRule<PolicyRequirementRule xsi:type="ANYRequester" value="https://cert-manager.com/shibboleth" />
</AttributeRule>
<AttributeRule attributeID="eduPersonAssuranceeduPersonPrincipalName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
<!-- Sectigo -->
<AttributeFilterPolicy id="releaseSectigoAttributeBundle <AttributeRule attributeID="displayName">
<PolicyRequirementRule <PermitValueRule xsi:type="RequesterANY" value="https://cert-manager.com/shibboleth" />/>
</AttributeRule>
<AttributeRule attributeID="eduPersonPrincipalNamegivenName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="displayNamemail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="givenNamesn">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="mailschacHomeOrganization">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="sntcsPersonalEntitlement">
<PermitValueRule xsi:type="ANY"/>
</AttributeRule>
< </AttributeFilterPolicy>
<!-- PLACEHOLDER DO NOT REMOVE -->
</AttributeFilterPolicyGroup>
|