You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 21 Next »

This is an example of a standard entity category based attribute filter for SWAMID 2.0 in a Shibboleth IdP which fulfils SWAMID's Entity Category attribute release in SWAMID

attribute-filter.xml
<?xml version="1.0" encoding="UTF-8"?>

<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
        xmlns="urn:mace:shibboleth:2.0:afp"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">

<!--  Release the transient ID to anyone -->
<AttributeFilterPolicy id="releaseTransientIdToAnyone">
        <PolicyRequirementRule xsi:type="ANY" />

        <AttributeRule attributeID="transientId">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
</AttributeFilterPolicy>

<!-- GEANT Data protection Code of Conduct -->
<AttributeFilterPolicy id="releaseToCoCo">
        <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
                attributeName="http://macedir.org/entity-category"
                attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" />
        <AttributeRule attributeID="eduPersonTargetedID">
                <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonPrincipalName">
                <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
		<!-- Deprecated, unlikely to be used in the future
        <AttributeRule attributeID="eduPersonUniqueId">
                <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        -->
        <AttributeRule attributeID="eduPersonOrcid">
                <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        <AttributeRule attributeID="norEduPersonNIN">
                <PermitValueRule xsi:type="AND">
                        <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
                        <Rule xsi:type="RegistrationAuthority" registrars="http://www.swamid.se/" />
                </PermitValueRule>
        </AttributeRule>
        <AttributeRule attributeID="personalIdentityNumber">
                <PermitValueRule xsi:type="AND">
                        <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
                        <Rule xsi:type="RegistrationAuthority" registrars="http://www.swamid.se/" />
                </PermitValueRule>
        </AttributeRule>
        <AttributeRule attributeID="schacDateOfBirth">
                <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        <AttributeRule attributeID="mail">
                <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        <AttributeRule attributeID="cn">
                <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        <AttributeRule attributeID="displayName">
                <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        <AttributeRule attributeID="givenName">
                <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        <AttributeRule attributeID="sn">
                <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonAssurance">
                <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonScopedAffiliation">
                <PermitValueRule xsi:type="AND">
                        <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
                        <Rule xsi:type="OR">
                                <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
                                <Rule xsi:type="Value" value="student" ignoreCase="true" />
                                <Rule xsi:type="Value" value="staff" ignoreCase="true" />
                                <Rule xsi:type="Value" value="alum" ignoreCase="true" />
                                <Rule xsi:type="Value" value="member" ignoreCase="true" />
                                <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
                                <Rule xsi:type="Value" value="employee" ignoreCase="true" />
                                <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
                        </Rule>
                </PermitValueRule>
        </AttributeRule>
        <AttributeRule attributeID="eduPersonAffiliation">
                <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        <AttributeRule attributeID="o">
                <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        <AttributeRule attributeID="norEduOrgAcronym">
                <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        <AttributeRule attributeID="c">
                <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        <AttributeRule attributeID="co">
                <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        <AttributeRule attributeID="schacHomeOrganization">
                <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        <AttributeRule attributeID="schacHomeOrganizationType">
                <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
</AttributeFilterPolicy>

<!-- REFEDS Research and Schoolarship -->
<AttributeFilterPolicy id="releaseToRandS">
        <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
                attributeName="http://macedir.org/entity-category"
                attributeValue="http://refeds.org/category/research-and-scholarship" />
<!-- Alternative configuration examples for ePTID. See the static variables section of the attribute resolver.
        <AttributeRule attributeID="eduPersonTargetedID">
                <PermitValueRule xsi:type="NOT">
                        <Rule xsi:type="Value" value="https://refeds.org/assurance/ID/eppn-unique-no-reassign" attributeID="eduPersonAssurance" />
                </PermitValueRule>
        </AttributeRule>
-->
<!--
        <AttributeRule attributeID="eduPersonTargetedID">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
-->
        <AttributeRule attributeID="displayName">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="givenName">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="sn">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="mail">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
		<!-- Deprecated, unlikely to be used in the future
        <AttributeRule attributeID="eduPersonUniqueId">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        -->
        <AttributeRule attributeID="eduPersonAssurance">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonPrincipalName">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonScopedAffiliation">
                <PermitValueRule xsi:type="OR">
                        <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
                        <Rule xsi:type="Value" value="student" ignoreCase="true" />
                        <Rule xsi:type="Value" value="staff" ignoreCase="true" />
                        <Rule xsi:type="Value" value="alum" ignoreCase="true" />
                        <Rule xsi:type="Value" value="member" ignoreCase="true" />
                        <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
                        <Rule xsi:type="Value" value="employee" ignoreCase="true" />
                        <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
                </PermitValueRule>
        </AttributeRule>
</AttributeFilterPolicy>

<!-- DEPRECATED entity-category-swamid-research-and-education WILL BE REMOVED 2020-10-31 -->
<AttributeFilterPolicy id="entity-category-research-and-education">
        <PolicyRequirementRule xsi:type="AND">
                <Rule xsi:type="OR">
                        <Rule xsi:type="EntityAttributeExactMatch"
                                attributeName="http://macedir.org/entity-category"
                                attributeValue="http://www.swamid.se/category/eu-adequate-protection" />
                        <Rule xsi:type="EntityAttributeExactMatch"
                                attributeName="http://macedir.org/entity-category"
                                attributeValue="http://www.swamid.se/category/nren-service" />
                        <Rule xsi:type="EntityAttributeExactMatch"
                                attributeName="http://macedir.org/entity-category"
                                attributeValue="http://www.swamid.se/category/hei-service" />
                </Rule>
                <Rule xsi:type="EntityAttributeExactMatch"
                        attributeName="http://macedir.org/entity-category"
                        attributeValue="http://www.swamid.se/category/research-and-education" />
        </PolicyRequirementRule>
        <AttributeRule attributeID="givenName">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="sn">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="displayName">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="cn">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonPrincipalName">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonAssurance">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="mail">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonScopedAffiliation">
                <PermitValueRule xsi:type="OR">
                        <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
                        <Rule xsi:type="Value" value="student" ignoreCase="true" />
                        <Rule xsi:type="Value" value="staff" ignoreCase="true" />
                        <Rule xsi:type="Value" value="alum" ignoreCase="true" />
                        <Rule xsi:type="Value" value="member" ignoreCase="true" />
                        <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
                        <Rule xsi:type="Value" value="employee" ignoreCase="true" />
                        <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
                </PermitValueRule>
        </AttributeRule>
        <AttributeRule attributeID="o">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="norEduOrgAcronym">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="c">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="co">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="schacHomeOrganization">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
</AttributeFilterPolicy>

<!-- DEPRECATED entity-category-sfs-1993-1153 WILL BE REMOVED 2020-10-31-->
<AttributeFilterPolicy id="entity-category-sfs-1993-1153">
        <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
                        attributeName="http://macedir.org/entity-category"
                        attributeValue="http://www.swamid.se/category/sfs-1993-1153" />

        <AttributeRule attributeID="norEduPersonNIN">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonAssurance">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
</AttributeFilterPolicy>

<!-- Examples of entityId based release to Service Providers -->

<!-- Release to testshib.org -->
<!--
<AttributeFilterPolicy id="testShib">
        <PolicyRequirementRule xsi:type="Requester" value="https://sp.testshib.org/shibboleth-sp" />

        <AttributeRule attributeID="givenName">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>

        <AttributeRule attributeID="commonName">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>

        <AttributeRule attributeID="surname">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>

        <AttributeRule attributeID="principal">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>

</AttributeFilterPolicy>
-->




<!-- NyA-webben UHR -->
<!--
<AttributeFilterPolicy id="releaseNyAwebbenEntitlement">
        <PolicyRequirementRule xsi:type="OR">
                <Rule xsi:type="Requester" value="https://expert.antagning.se/ecs-sp" />
                <Rule xsi:type="Requester" value="https://expert.testa.antagning.se/ecs-sp" />
                <Rule xsi:type="Requester" value="https://expert.testb.antagning.se/ecs-sp" />
        </PolicyRequirementRule>

        <AttributeRule attributeID="NyAwebbenEntitlement">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
</AttributeFilterPolicy>
-->




<!--  TCS - Digicert until 2020-04-30 -->
<!--  New TCS Personal -->
<!--
<AttributeFilterPolicy id="releaseTcsPersonalEntitlement">
        <PolicyRequirementRule xsi:type="Requester" value="https://www.digicert.com/sso" />

        <AttributeRule attributeID="displayName">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonPrincipalName">
                <PermitValueRule xsi:type="ANY"/>
        </AttributeRule>
        <AttributeRule attributeID="tcsPersonalEntitlement">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="mail">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="schacHomeOrganization">
                <PermitValueRule xsi:type="ANY"/>
        </AttributeRule>
</AttributeFilterPolicy>
-->



<!--  TCS - Sectigo 2020-05-01 and forward -->
<!--  Please see https://wiki.sunet.se/display/SWAMID/SAML-konfiguration+Sunet+TCS -->
<!--  for information on how to create a resolver for tcsPersonalEntitlement.      -->
<!--
<AttributeFilterPolicy id="releaseSectigoAttributeBundle">
        <PolicyRequirementRule xsi:type="Requester" value="https://cert-manager.com/shibboleth" />

        <AttributeRule attributeID="eduPersonPrincipalName">
                <PermitValueRule xsi:type="ANY"/>
        </AttributeRule>
        <AttributeRule attributeID="displayName">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="givenName">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="mail">
                <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
        <AttributeRule attributeID="sn">
                <PermitValueRule xsi:type="ANY"/>
        </AttributeRule>
        <AttributeRule attributeID="schacHomeOrganization">
                <PermitValueRule xsi:type="ANY"/>
        </AttributeRule>
        <AttributeRule attributeID="tcsPersonalEntitlement">
                <PermitValueRule xsi:type="ANY"/>
        </AttributeRule>
</AttributeFilterPolicy>
-->


<!-- PLACEHOLDER DO NOT REMOVE -->
</AttributeFilterPolicyGroup>
  • No labels