rut-test-ops/internal-sto4-test-monitor-1.rut.sunet.se/overlay/opt/naemon_monitor/attribute-policy.xml

<AttributeFilterPolicyGroup
    xmlns="urn:mace:shibboleth:2.0:afp"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

    <!-- Shared rule for affiliation values. -->
    <PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
        <Rule xsi:type="Value" value="faculty"/>
        <Rule xsi:type="Value" value="student"/>
        <Rule xsi:type="Value" value="staff"/>
        <Rule xsi:type="Value" value="alum"/>
        <Rule xsi:type="Value" value="member"/>
        <Rule xsi:type="Value" value="affiliate"/>
        <Rule xsi:type="Value" value="employee"/>
        <Rule xsi:type="Value" value="library-walk-in"/>
    </PermitValueRule>
    
    <!--
    Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
    an AttributeRule for each attribute you want to check.
    -->
    <PermitValueRule id="ScopingRules" xsi:type="AND">
        <Rule xsi:type="NOT">
            <Rule xsi:type="ValueRegex" regex="@"/>
        </Rule>
        <Rule xsi:type="ScopeMatchesShibMDScope"/>
    </PermitValueRule>

    <AttributeFilterPolicy>
        <!-- This policy is in effect in all cases. -->
        <PolicyRequirementRule xsi:type="ANY"/>

        <!-- Filter out undefined affiliations and ensure only one primary. -->
        <AttributeRule attributeID="affiliation">
            <PermitValueRule xsi:type="AND">
                <RuleReference ref="eduPersonAffiliationValues"/>
                <RuleReference ref="ScopingRules"/>
            </PermitValueRule>
        </AttributeRule>
        <AttributeRule attributeID="unscoped-affiliation">
            <PermitValueRuleReference ref="eduPersonAffiliationValues"/>
        </AttributeRule>
        <AttributeRule attributeID="primary-affiliation">
            <PermitValueRuleReference ref="eduPersonAffiliationValues"/>
        </AttributeRule>

        <AttributeRule attributeID="subject-id" permitAny="true"/>

        <AttributeRule attributeID="pairwise-id">
            <PermitValueRuleReference ref="ScopingRules"/>
        </AttributeRule>
        
        <AttributeRule attributeID="eppn">
            <PermitValueRuleReference ref="ScopingRules"/>
        </AttributeRule>

        <AttributeRule attributeID="targeted-id">
            <PermitValueRuleReference ref="ScopingRules"/>
        </AttributeRule>

        <!-- Require NameQualifier/SPNameQualifier match IdP and SP entityID respectively. -->
        <AttributeRule attributeID="persistent-id">
            <PermitValueRule xsi:type="NameIDQualifierString"/>
        </AttributeRule>
        
        <!-- Enforce that the values of schacHomeOrganization are a valid Scope. -->
        <AttributeRule attributeID="schacHomeOrganization">
            <PermitValueRule xsi:type="ValueMatchesShibMDScope" />
        </AttributeRule>

        <!-- Catch-all that passes everything else through unmolested. -->
        <AttributeRule attributeID="*" permitAny="true"/>
        
    </AttributeFilterPolicy>

</AttributeFilterPolicyGroup>
Start wiring up monitor and satosa. 2024-04-30 10:23:34 +00:00			`<AttributeFilterPolicyGroup`
			`xmlns="urn:mace:shibboleth:2.0:afp"`
			`xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">`

			`<!-- Shared rule for affiliation values. -->`
			`<PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">`
			`<Rule xsi:type="Value" value="faculty"/>`
			`<Rule xsi:type="Value" value="student"/>`
			`<Rule xsi:type="Value" value="staff"/>`
			`<Rule xsi:type="Value" value="alum"/>`
			`<Rule xsi:type="Value" value="member"/>`
			`<Rule xsi:type="Value" value="affiliate"/>`
			`<Rule xsi:type="Value" value="employee"/>`
			`<Rule xsi:type="Value" value="library-walk-in"/>`
			`</PermitValueRule>`

			`<!--`
			`Shared rule for all "scoped" attributes, but you'll have to manually apply it inside`
			`an AttributeRule for each attribute you want to check.`
			`-->`
			`<PermitValueRule id="ScopingRules" xsi:type="AND">`
			`<Rule xsi:type="NOT">`
			`<Rule xsi:type="ValueRegex" regex="@"/>`
			`</Rule>`
			`<Rule xsi:type="ScopeMatchesShibMDScope"/>`
			`</PermitValueRule>`

			`<AttributeFilterPolicy>`
			`<!-- This policy is in effect in all cases. -->`
			`<PolicyRequirementRule xsi:type="ANY"/>`

			`<!-- Filter out undefined affiliations and ensure only one primary. -->`
			`<AttributeRule attributeID="affiliation">`
			`<PermitValueRule xsi:type="AND">`
			`<RuleReference ref="eduPersonAffiliationValues"/>`
			`<RuleReference ref="ScopingRules"/>`
			`</PermitValueRule>`
			`</AttributeRule>`
			`<AttributeRule attributeID="unscoped-affiliation">`
			`<PermitValueRuleReference ref="eduPersonAffiliationValues"/>`
			`</AttributeRule>`
			`<AttributeRule attributeID="primary-affiliation">`
			`<PermitValueRuleReference ref="eduPersonAffiliationValues"/>`
			`</AttributeRule>`

			`<AttributeRule attributeID="subject-id" permitAny="true"/>`

			`<AttributeRule attributeID="pairwise-id">`
			`<PermitValueRuleReference ref="ScopingRules"/>`
			`</AttributeRule>`

			`<AttributeRule attributeID="eppn">`
			`<PermitValueRuleReference ref="ScopingRules"/>`
			`</AttributeRule>`

			`<AttributeRule attributeID="targeted-id">`
			`<PermitValueRuleReference ref="ScopingRules"/>`
			`</AttributeRule>`

			`<!-- Require NameQualifier/SPNameQualifier match IdP and SP entityID respectively. -->`
			`<AttributeRule attributeID="persistent-id">`
			`<PermitValueRule xsi:type="NameIDQualifierString"/>`
			`</AttributeRule>`

			`<!-- Enforce that the values of schacHomeOrganization are a valid Scope. -->`
			`<AttributeRule attributeID="schacHomeOrganization">`
			`<PermitValueRule xsi:type="ValueMatchesShibMDScope" />`
			`</AttributeRule>`

			`<!-- Catch-all that passes everything else through unmolested. -->`
			`<AttributeRule attributeID="*" permitAny="true"/>`

			`</AttributeFilterPolicy>`

			`</AttributeFilterPolicyGroup>`