Use ENV for persistentiId, logging

author: Markus Krogh <markus@nordu.net> 2017-09-29 17:42:03 +0200
committer: Markus Krogh <markus@nordu.net> 2017-09-29 17:42:03 +0200
commit: 35751e3cf89abf69f11dff7f9a3396d8068becc8 (patch)
tree: 9f20b007e8e787ea1a5345c2b7200018a2727a59 /idp/template-config/attribute-filter.xml
parent: af0294d5f773bc071128b1ec1712c62f587c7b0a (diff)
1 files changed, 255 insertions, 129 deletions
diff --git a/idp/template-config/attribute-filter.xml b/idp/template-config/attribute-filter.xml
index eae2abe..3514282 100644
--- a/idp/template-config/attribute-filter.xml
+++ b/idp/template-config/attribute-filter.xml
@@ -9,9 +9,9 @@
     and their options.
 -->
 <AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
-        xmlns="urn:mace:shibboleth:2.0:afp"
-        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-        xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
+  xmlns="urn:mace:shibboleth:2.0:afp"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
 
   <AttributeFilterPolicy id="releaseTransientIdToAnyone">
     <PolicyRequirementRule xsi:type="ANY" />
@@ -19,139 +19,265 @@
     <AttributeRule attributeID="transientId">
       <PermitValueRule xsi:type="ANY" />
     </AttributeRule>
+    <AttributeRule attributeID="persistentId">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
   </AttributeFilterPolicy>
 
 
-	<!-- GEANT Data protection Code of Conduct -->
-	<AttributeFilterPolicy id="releaseToCoCo">
-  	<PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
-    											 attributeName="http://macedir.org/entity-category"
-    											 attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" />
-  	<AttributeRule attributeID="displayName">
-  	  <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
-  	</AttributeRule>
-  	<AttributeRule attributeID="cn">
-  	  <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
-  	</AttributeRule>
-  	<AttributeRule attributeID="email">
-  	  <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
-  	</AttributeRule>
-  	<AttributeRule attributeID="eduPersonPrincipalName">
-  	  <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
-  	</AttributeRule>
-  	<AttributeRule attributeID="eduPersonScopedAffiliation">
-  	  <PermitValueRule xsi:type="AND">
-  	    <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
-  	    <Rule xsi:type="OR">
-  	      <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
-  	      <Rule xsi:type="Value" value="student" ignoreCase="true" />
-  	      <Rule xsi:type="Value" value="staff" ignoreCase="true" />
-  	      <Rule xsi:type="Value" value="alum" ignoreCase="true" />
-  	      <Rule xsi:type="Value" value="member" ignoreCase="true" />
-  	      <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
-  	      <Rule xsi:type="Value" value="employee" ignoreCase="true" />
-  	      <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
-  	    </Rule>
-  	  </PermitValueRule>
-  	</AttributeRule>
-  	<AttributeRule attributeID="eduPersonAffiliation">
-  	  <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
-  	</AttributeRule>
-  	<AttributeRule attributeID="schacHomeOrganization">
-  	  <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
-  	</AttributeRule>
-  	<AttributeRule attributeID="schacHomeOrganizationType">
-  	  <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
-  	</AttributeRule>
-	</AttributeFilterPolicy>
+  <!-- GEANT Data protection Code of Conduct -->
+  <AttributeFilterPolicy id="releaseToCoCo">
+    <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+      attributeName="http://macedir.org/entity-category"
+      attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" />
+    <AttributeRule attributeID="displayName">
+      <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+    </AttributeRule>
+    <AttributeRule attributeID="cn">
+      <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+    </AttributeRule>
+    <AttributeRule attributeID="email">
+      <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonPrincipalName">
+      <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonScopedAffiliation">
+      <PermitValueRule xsi:type="AND">
+        <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+        <Rule xsi:type="OR">
+          <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+          <Rule xsi:type="Value" value="student" ignoreCase="true" />
+          <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+          <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+          <Rule xsi:type="Value" value="member" ignoreCase="true" />
+          <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+          <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+          <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+        </Rule>
+      </PermitValueRule>
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonAffiliation">
+      <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+    </AttributeRule>
+    <AttributeRule attributeID="schacHomeOrganization">
+      <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+    </AttributeRule>
+    <AttributeRule attributeID="schacHomeOrganizationType">
+      <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+    </AttributeRule>
+  </AttributeFilterPolicy>
 
-	<!-- REFEDS Research and Schoolarship -->
-	<AttributeFilterPolicy id="releaseToRandS">
-	  <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
-	    attributeName="http://macedir.org/entity-category"
-	    attributeValue="http://refeds.org/category/research-and-scholarship" />
-	
-	  <AttributeRule attributeID="displayName">
-	    <PermitValueRule xsi:type="ANY" />
-	  </AttributeRule>
-	  <AttributeRule attributeID="givenName">
-	    <PermitValueRule xsi:type="ANY" />
-	  </AttributeRule>
-	  <AttributeRule attributeID="surname">
-	    <PermitValueRule xsi:type="ANY" />
-	  </AttributeRule>
-	  <AttributeRule attributeID="email">
-	    <PermitValueRule xsi:type="ANY" />
-	  </AttributeRule>
-	  <AttributeRule attributeID="eduPersonPrincipalName">
-	    <PermitValueRule xsi:type="ANY" />
-	  </AttributeRule>
-	  <AttributeRule attributeID="eduPersonScopedAffiliation">
-	    <PermitValueRule xsi:type="OR">
-	      <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
-	      <Rule xsi:type="Value" value="student" ignoreCase="true" />
-	      <Rule xsi:type="Value" value="staff" ignoreCase="true" />
-	      <Rule xsi:type="Value" value="alum" ignoreCase="true" />
-	      <Rule xsi:type="Value" value="member" ignoreCase="true" />
-	      <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
-	      <Rule xsi:type="Value" value="employee" ignoreCase="true" />
-	      <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
-	    </PermitValueRule>
-	  </AttributeRule>
-	</AttributeFilterPolicy>
+  <!-- REFEDS Research and Schoolarship -->
+  <AttributeFilterPolicy id="releaseToRandS">
+    <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+      attributeName="http://macedir.org/entity-category"
+      attributeValue="http://refeds.org/category/research-and-scholarship" />
+
+    <AttributeRule attributeID="displayName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="givenName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="surname">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="email">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonPrincipalName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonScopedAffiliation">
+      <PermitValueRule xsi:type="OR">
+        <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+        <Rule xsi:type="Value" value="student" ignoreCase="true" />
+        <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+        <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+        <Rule xsi:type="Value" value="member" ignoreCase="true" />
+        <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+        <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+        <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+      </PermitValueRule>
+    </AttributeRule>
+  </AttributeFilterPolicy>
+
+  <!-- entity-category-swamid-research-and-education -->
+  <AttributeFilterPolicy id="entity-category-research-and-education">
+    <PolicyRequirementRule xsi:type="AND">
+      <Rule xsi:type="OR">
+        <Rule xsi:type="EntityAttributeExactMatch"
+          attributeName="http://macedir.org/entity-category"
+          attributeValue="http://www.swamid.se/category/eu-adequate-protection" />
+        <Rule xsi:type="EntityAttributeExactMatch"
+          attributeName="http://macedir.org/entity-category"
+          attributeValue="http://www.swamid.se/category/nren-service" />
+        <Rule xsi:type="EntityAttributeExactMatch"
+          attributeName="http://macedir.org/entity-category"
+          attributeValue="http://www.swamid.se/category/hei-service" />
+      </Rule>
+      <Rule xsi:type="EntityAttributeExactMatch"
+        attributeName="http://macedir.org/entity-category"
+        attributeValue="http://www.swamid.se/category/research-and-education" />
+    </PolicyRequirementRule>
+
+    <AttributeRule attributeID="givenName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="surname">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="displayName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonPrincipalName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonAssurance">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="email">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonScopedAffiliation">
+      <PermitValueRule xsi:type="OR">
+        <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+        <Rule xsi:type="Value" value="student" ignoreCase="true" />
+        <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+        <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+        <Rule xsi:type="Value" value="member" ignoreCase="true" />
+        <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+        <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+        <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+      </PermitValueRule>
+    </AttributeRule>
+    <AttributeRule attributeID="organizationName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="norEduOrgAcronym">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="countryName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="friendlyCountryName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="schacHomeOrganization">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+  </AttributeFilterPolicy>
 
   <!-- Release some attributes to an SP. -->
   <!-- Note: requester seems to need the path /shibboleth to be included to match this! -->
   <AttributeFilterPolicy id="sp.nordu.dev">
-      <PolicyRequirementRule xsi:type="Requester" value="https://sp.nordu.dev/shibboleth" />
-      <!-- <PolicyRequirementRule xsi:type="ANY" /> -->
-      <AttributeRule attributeID="eduPersonPrincipalName">
-          <PermitValueRule xsi:type="ANY" />
-      </AttributeRule>
-      <AttributeRule attributeID="uid">
-          <PermitValueRule xsi:type="ANY" />
-      </AttributeRule>
-      <AttributeRule attributeID="mail">
-          <PermitValueRule xsi:type="ANY" />
-      </AttributeRule>
-      <AttributeRule attributeID="givenName">
-          <PermitValueRule xsi:type="ANY" />
-      </AttributeRule>
-      <AttributeRule attributeID="surname">
-          <PermitValueRule xsi:type="ANY" />
-      </AttributeRule>
-      <AttributeRule attributeID="displayName">
-          <PermitValueRule xsi:type="ANY" />
-      </AttributeRule>
-      <AttributeRule attributeID="commonName">
-          <PermitValueRule xsi:type="ANY" />
-      </AttributeRule>
-      <AttributeRule attributeID="employeeType">
-          <PermitValueRule xsi:type="ANY" />
-      </AttributeRule>
-      <AttributeRule attributeID="email">
-          <PermitValueRule xsi:type="ANY" />
-      </AttributeRule>
-      <AttributeRule attributeID="eduPersonEntitlement">
-          <PermitValueRule xsi:type="ANY" />
-      </AttributeRule>
-      <AttributeRule attributeID="mailLocalAddress">
-          <PermitValueRule xsi:type="ANY" />
-      </AttributeRule>
-      <AttributeRule attributeID="eduPersonScopedAffiliation">
-          <PermitValueRule xsi:type="OR">
-              <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
-              <Rule xsi:type="Value" value="student" ignoreCase="true" />
-              <Rule xsi:type="Value" value="staff" ignoreCase="true" />
-              <Rule xsi:type="Value" value="alum" ignoreCase="true" />
-              <Rule xsi:type="Value" value="member" ignoreCase="true" />
-              <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
-              <Rule xsi:type="Value" value="employee" ignoreCase="true" />
-              <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
-          </PermitValueRule>
-      </AttributeRule>
-      <AttributeRule attributeID="organizationName">
-          <PermitValueRule xsi:type="ANY" />
-      </AttributeRule>
+    <PolicyRequirementRule xsi:type="Requester" value="https://sp.nordu.dev/shibboleth" />
+    <!-- <PolicyRequirementRule xsi:type="ANY" /> -->
+    <AttributeRule attributeID="eduPersonPrincipalName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="uid">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="mail">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="givenName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="surname">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="displayName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="commonName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="employeeType">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="email">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonEntitlement">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="mailLocalAddress">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonScopedAffiliation">
+      <PermitValueRule xsi:type="OR">
+        <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+        <Rule xsi:type="Value" value="student" ignoreCase="true" />
+        <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+        <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+        <Rule xsi:type="Value" value="member" ignoreCase="true" />
+        <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+        <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+        <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+      </PermitValueRule>
+    </AttributeRule>
+    <AttributeRule attributeID="organizationName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+  </AttributeFilterPolicy>
+
+  <!-- ukfederation + incommon -->
+  <AttributeFilterPolicy id="everyoneInSwamidFeed">
+    <PolicyRequirementRule xsi:type="InEntityGroup" groupID="http://mds.swamid.se/md/swamid-2.0.xml" />
+    <AttributeRule attributeID="givenName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="surname">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="displayName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="commonName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonPrincipalName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="email">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonEntitlement">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonTargetedID">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonScopedAffiliation">
+      <PermitValueRule xsi:type="OR">
+        <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+        <Rule xsi:type="Value" value="student" ignoreCase="true" />
+        <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+        <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+        <Rule xsi:type="Value" value="member" ignoreCase="true" />
+        <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+        <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+        <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+      </PermitValueRule>
+    </AttributeRule>
+    <AttributeRule attributeID="organizationName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="norEduOrgAcronym">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="countryName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="friendlyCountryName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="schacHomeOrganization">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
   </AttributeFilterPolicy>
+
 </AttributeFilterPolicyGroup>
author	Markus Krogh <markus@nordu.net>	2017-09-29 17:42:03 +0200
committer	Markus Krogh <markus@nordu.net>	2017-09-29 17:42:03 +0200
commit	35751e3cf89abf69f11dff7f9a3396d8068becc8 (patch)
tree	9f20b007e8e787ea1a5345c2b7200018a2727a59 /idp/template-config/attribute-filter.xml
parent	af0294d5f773bc071128b1ec1712c62f587c7b0a (diff)