...
Release a Dynamic Subset of the R&S Bundle to ALL R&S SPs
...
Code Block | ||
---|---|---|
| ||
<afp:AttributeFilterPolicy id="releaseDynamicSubsetToRandS">
<afp:PolicyRequirementRule
xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship"/>
<!-- release ePPN iff ePPN is listed in metadata -->
<afp:AttributeRule attributeID="eduPersonPrincipalName">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
</afp:AttributeRule>
<!-- release ePTID iff either ePTID or ePPN are listed in metadata -->
<afp:AttributeRule attributeID="eduPersonTargetedID">
<afp:PermitValueRule xsi:type="basic:OR">
<basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
<basic:Rule xsi:type="saml:AttributeInMetadata"
attributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"/>
</afp:PermitValueRule>
</afp:AttributeRule>
<!-- if ePPN is non-reassigned, the above rule may be simplified or even commented out since ePTID is optional -->
<!-- release mail iff mail is listed in metadata -->
<afp:AttributeRule attributeID="email">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
</afp:AttributeRule>
<!-- release displayName iff displayName or (givenName + sn) are listed in metadata -->
<afp:AttributeRule attributeID="displayName">
<afp:PermitValueRule xsi:type="basic:OR">
<basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
<basic:Rule xsi:type="basic:AND">
<basic:Rule xsi:type="saml:AttributeInMetadata"
attributeName="urn:oid:2.5.4.42"/>
<basic:Rule xsi:type="saml:AttributeInMetadata"
attributeName="urn:oid:2.5.4.4"/>
<basic:Rule xsi:type="basic:AND">
</afp:PermitValueRule>
</afp:AttributeRule>
<!-- release givenName iff givenName or displayName are listed in metadata -->
<afp:AttributeRule attributeID="givenName">
<afp:PermitValueRule xsi:type="basic:OR">
<basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
<basic:Rule xsi:type="saml:AttributeInMetadata"
attributeName="urn:oid:2.16.840.1.113730.3.1.241"/>
</afp:PermitValueRule>
</afp:AttributeRule>
<!-- release surname iff surname or displayName are listed in metadata -->
<afp:AttributeRule attributeID="surname">
<afp:PermitValueRule xsi:type="basic:OR">
<basic:Rule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
<basic:Rule xsi:type="saml:AttributeInMetadata"
attributeName="urn:oid:2.16.840.1.113730.3.1.241"/>
</afp:PermitValueRule>
</afp:AttributeRule>
<!-- release ePSA iff ePSA is listed in metadata -->
<afp:AttributeRule attributeID="eduPersonScopedAffiliation">
<afp:PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
</afp:AttributeRule>
<!-- since ePSA is OPTIONAL, the above rule may be commented out -->
</afp:AttributeFilterPolicy> |
For Shib IdPs v2.4.0 and higher
...