<afp:AttributeFilterPolicyGroup
    xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"
    xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
    xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
    xmlns:afp="urn:mace:shibboleth:2.0:afp"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

    <!-- Shared rule for affiliation values. -->
    <afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
        <Rule xsi:type="AttributeValueString" value="faculty"/>
        <Rule xsi:type="AttributeValueString" value="student"/>
        <Rule xsi:type="AttributeValueString" value="staff"/>
        <Rule xsi:type="AttributeValueString" value="alum"/>
        <Rule xsi:type="AttributeValueString" value="member"/>
        <Rule xsi:type="AttributeValueString" value="affiliate"/>
        <Rule xsi:type="AttributeValueString" value="employee"/>
        <Rule xsi:type="AttributeValueString" value="library-walk-in"/>
    </afp:PermitValueRule>
    
    <!--
    Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
    an AttributeRule for each attribute you want to check.
    -->
    <afp:PermitValueRule id="ScopingRules" xsi:type="AND">
        <Rule xsi:type="NOT">
            <Rule xsi:type="AttributeValueRegex" regex="@"/>
        </Rule>
        <Rule xsi:type="saml:AttributeScopeMatchesShibMDScope"/>
    </afp:PermitValueRule>

    <afp:AttributeFilterPolicy>
        <!-- This policy is in effect in all cases. -->
        <afp:PolicyRequirementRule xsi:type="ANY"/>

        <!-- Filter out undefined affiliations and ensure only one primary. -->
        <afp:AttributeRule attributeID="affiliation">
            <afp:PermitValueRule xsi:type="AND">
                <RuleReference ref="eduPersonAffiliationValues"/>
                <RuleReference ref="ScopingRules"/>
            </afp:PermitValueRule>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="unscoped-affiliation">
            <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
        </afp:AttributeRule>
        <afp:AttributeRule attributeID="primary-affiliation">
            <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
        </afp:AttributeRule>

        <afp:AttributeRule attributeID="subject-id">
            <afp:PermitValueRuleReference ref="ScopingRules"/>
        </afp:AttributeRule>

        <afp:AttributeRule attributeID="pairwise-id">
            <afp:PermitValueRuleReference ref="ScopingRules"/>
        </afp:AttributeRule>
        
        <afp:AttributeRule attributeID="eppn">
	<!-- Disabled scope check since the proxy does it for us and the proxies metadata doesn't include scopes from our customers.
            <afp:PermitValueRuleReference ref="ScopingRules"/>
	-->
        </afp:AttributeRule>

        <afp:AttributeRule attributeID="targeted-id">
            <afp:PermitValueRuleReference ref="ScopingRules"/>
        </afp:AttributeRule>

        <!-- Require NameQualifier/SPNameQualifier match IdP and SP entityID respectively. -->
        <afp:AttributeRule attributeID="persistent-id">
            <afp:PermitValueRule xsi:type="saml:NameIDQualifierString"/>
        </afp:AttributeRule>
        
        <!-- Enforce that the values of schacHomeOrganization are a valid Scope. -->
        <afp:AttributeRule attributeID="schacHomeOrganization">
            <afp:PermitValueRule xsi:type="saml:AttributeValueMatchesShibMDScope" />
        </afp:AttributeRule>

        <!-- Catch-all that passes everything else through unmolested. -->
        <afp:AttributeRule attributeID="*" permitAny="true"/>
        
    </afp:AttributeFilterPolicy>

</afp:AttributeFilterPolicyGroup>