added attribute policy

internal-sto4-prod-monitor-1.rut.sunet.se/overlay/opt/naemon_monitor/attribute-policy.xml

@@ -0,0 +1,75 @@
+<AttributeFilterPolicyGroup
+    xmlns="urn:mace:shibboleth:2.0:afp"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <!-- Shared rule for affiliation values. -->
+    <PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
+        <Rule xsi:type="Value" value="faculty"/>
+        <Rule xsi:type="Value" value="student"/>
+        <Rule xsi:type="Value" value="staff"/>
+        <Rule xsi:type="Value" value="alum"/>
+        <Rule xsi:type="Value" value="member"/>
+        <Rule xsi:type="Value" value="affiliate"/>
+        <Rule xsi:type="Value" value="employee"/>
+        <Rule xsi:type="Value" value="library-walk-in"/>
+    </PermitValueRule>
+    
+    <!--
+    Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
+    an AttributeRule for each attribute you want to check.
+    -->
+    <PermitValueRule id="ScopingRules" xsi:type="AND">
+        <Rule xsi:type="NOT">
+            <Rule xsi:type="ValueRegex" regex="@"/>
+        </Rule>
+        <Rule xsi:type="ScopeMatchesShibMDScope"/>
+    </PermitValueRule>
+
+    <AttributeFilterPolicy>
+        <!-- This policy is in effect in all cases. -->
+        <PolicyRequirementRule xsi:type="ANY"/>
+
+        <!-- Filter out undefined affiliations and ensure only one primary. -->
+        <AttributeRule attributeID="affiliation">
+            <PermitValueRule xsi:type="AND">
+                <RuleReference ref="eduPersonAffiliationValues"/>
+                <RuleReference ref="ScopingRules"/>
+            </PermitValueRule>
+        </AttributeRule>
+        <AttributeRule attributeID="unscoped-affiliation">
+            <PermitValueRuleReference ref="eduPersonAffiliationValues"/>
+        </AttributeRule>
+        <AttributeRule attributeID="primary-affiliation">
+            <PermitValueRuleReference ref="eduPersonAffiliationValues"/>
+        </AttributeRule>
+
+        <AttributeRule attributeID="subject-id" permitAny="true"/>
+
+        <AttributeRule attributeID="pairwise-id">
+            <PermitValueRuleReference ref="ScopingRules"/>
+        </AttributeRule>
+        
+        <AttributeRule attributeID="eppn">
+            <PermitValueRuleReference ref="ScopingRules"/>
+        </AttributeRule>
+
+        <AttributeRule attributeID="targeted-id">
+            <PermitValueRuleReference ref="ScopingRules"/>
+        </AttributeRule>
+
+        <!-- Require NameQualifier/SPNameQualifier match IdP and SP entityID respectively. -->
+        <AttributeRule attributeID="persistent-id">
+            <PermitValueRule xsi:type="NameIDQualifierString"/>
+        </AttributeRule>
+        
+        <!-- Enforce that the values of schacHomeOrganization are a valid Scope. -->
+        <AttributeRule attributeID="schacHomeOrganization">
+            <PermitValueRule xsi:type="ValueMatchesShibMDScope" />
+        </AttributeRule>
+
+        <!-- Catch-all that passes everything else through unmolested. -->
+        <AttributeRule attributeID="*" permitAny="true"/>
+        
+    </AttributeFilterPolicy>
+
+</AttributeFilterPolicyGroup>