82 lines
3.6 KiB
XML
82 lines
3.6 KiB
XML
<afp:AttributeFilterPolicyGroup
|
|
xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"
|
|
xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
|
|
xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
|
|
xmlns:afp="urn:mace:shibboleth:2.0:afp"
|
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
|
|
|
|
<!-- Shared rule for affiliation values. -->
|
|
<afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
|
|
<Rule xsi:type="AttributeValueString" value="faculty"/>
|
|
<Rule xsi:type="AttributeValueString" value="student"/>
|
|
<Rule xsi:type="AttributeValueString" value="staff"/>
|
|
<Rule xsi:type="AttributeValueString" value="alum"/>
|
|
<Rule xsi:type="AttributeValueString" value="member"/>
|
|
<Rule xsi:type="AttributeValueString" value="affiliate"/>
|
|
<Rule xsi:type="AttributeValueString" value="employee"/>
|
|
<Rule xsi:type="AttributeValueString" value="library-walk-in"/>
|
|
</afp:PermitValueRule>
|
|
|
|
<!--
|
|
Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
|
|
an AttributeRule for each attribute you want to check.
|
|
-->
|
|
<afp:PermitValueRule id="ScopingRules" xsi:type="AND">
|
|
<Rule xsi:type="NOT">
|
|
<Rule xsi:type="AttributeValueRegex" regex="@"/>
|
|
</Rule>
|
|
<Rule xsi:type="saml:AttributeScopeMatchesShibMDScope"/>
|
|
</afp:PermitValueRule>
|
|
|
|
<afp:AttributeFilterPolicy>
|
|
<!-- This policy is in effect in all cases. -->
|
|
<afp:PolicyRequirementRule xsi:type="ANY"/>
|
|
|
|
<!-- Filter out undefined affiliations and ensure only one primary. -->
|
|
<afp:AttributeRule attributeID="affiliation">
|
|
<afp:PermitValueRule xsi:type="AND">
|
|
<RuleReference ref="eduPersonAffiliationValues"/>
|
|
<RuleReference ref="ScopingRules"/>
|
|
</afp:PermitValueRule>
|
|
</afp:AttributeRule>
|
|
<afp:AttributeRule attributeID="unscoped-affiliation">
|
|
<afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
|
|
</afp:AttributeRule>
|
|
<afp:AttributeRule attributeID="primary-affiliation">
|
|
<afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
|
|
</afp:AttributeRule>
|
|
|
|
<afp:AttributeRule attributeID="subject-id">
|
|
<afp:PermitValueRuleReference ref="ScopingRules"/>
|
|
</afp:AttributeRule>
|
|
|
|
<afp:AttributeRule attributeID="pairwise-id">
|
|
<afp:PermitValueRuleReference ref="ScopingRules"/>
|
|
</afp:AttributeRule>
|
|
|
|
<afp:AttributeRule attributeID="eppn">
|
|
<!-- Disabled scope check since the proxy does it for us and the proxies metadata doesn't include scopes from our customers.
|
|
<afp:PermitValueRuleReference ref="ScopingRules"/>
|
|
-->
|
|
</afp:AttributeRule>
|
|
|
|
<afp:AttributeRule attributeID="targeted-id">
|
|
<afp:PermitValueRuleReference ref="ScopingRules"/>
|
|
</afp:AttributeRule>
|
|
|
|
<!-- Require NameQualifier/SPNameQualifier match IdP and SP entityID respectively. -->
|
|
<afp:AttributeRule attributeID="persistent-id">
|
|
<afp:PermitValueRule xsi:type="saml:NameIDQualifierString"/>
|
|
</afp:AttributeRule>
|
|
|
|
<!-- Enforce that the values of schacHomeOrganization are a valid Scope. -->
|
|
<afp:AttributeRule attributeID="schacHomeOrganization">
|
|
<afp:PermitValueRule xsi:type="saml:AttributeValueMatchesShibMDScope" />
|
|
</afp:AttributeRule>
|
|
|
|
<!-- Catch-all that passes everything else through unmolested. -->
|
|
<afp:AttributeRule attributeID="*" permitAny="true"/>
|
|
|
|
</afp:AttributeFilterPolicy>
|
|
|
|
</afp:AttributeFilterPolicyGroup>
|