summaryrefslogtreecommitdiff
path: root/idp/template-config/attribute-filter.xml
diff options
context:
space:
mode:
Diffstat (limited to 'idp/template-config/attribute-filter.xml')
-rw-r--r--idp/template-config/attribute-filter.xml179
1 files changed, 140 insertions, 39 deletions
diff --git a/idp/template-config/attribute-filter.xml b/idp/template-config/attribute-filter.xml
index 4543e99..eae2abe 100644
--- a/idp/template-config/attribute-filter.xml
+++ b/idp/template-config/attribute-filter.xml
@@ -13,44 +13,145 @@
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
- <!-- Release some attributes to an SP. -->
- <!-- Note: requester seems to need the path /shibboleth to be included to match this! -->
- <AttributeFilterPolicy id="sp.nordu.dev">
- <PolicyRequirementRule xsi:type="Requester" value="https://sp.nordu.dev/shibboleth" />
- <!-- <PolicyRequirementRule xsi:type="ANY" /> -->
- <AttributeRule attributeID="eduPersonPrincipalName">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="uid">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="mail">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="givenName">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="surname">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="displayName">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="commonName">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="employeeType">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="email">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="eduPersonEntitlement">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
- <AttributeRule attributeID="mailLocalAddress">
- <PermitValueRule xsi:type="ANY" />
- </AttributeRule>
+ <AttributeFilterPolicy id="releaseTransientIdToAnyone">
+ <PolicyRequirementRule xsi:type="ANY" />
- </AttributeFilterPolicy>
+ <AttributeRule attributeID="transientId">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ </AttributeFilterPolicy>
+
+
+ <!-- GEANT Data protection Code of Conduct -->
+ <AttributeFilterPolicy id="releaseToCoCo">
+ <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+ attributeName="http://macedir.org/entity-category"
+ attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" />
+ <AttributeRule attributeID="displayName">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="cn">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="email">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonPrincipalName">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonScopedAffiliation">
+ <PermitValueRule xsi:type="AND">
+ <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ <Rule xsi:type="OR">
+ <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+ <Rule xsi:type="Value" value="student" ignoreCase="true" />
+ <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+ <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+ <Rule xsi:type="Value" value="member" ignoreCase="true" />
+ <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+ <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+ <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+ </Rule>
+ </PermitValueRule>
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonAffiliation">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="schacHomeOrganization">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ <AttributeRule attributeID="schacHomeOrganizationType">
+ <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+ </AttributeRule>
+ </AttributeFilterPolicy>
+
+ <!-- REFEDS Research and Schoolarship -->
+ <AttributeFilterPolicy id="releaseToRandS">
+ <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+ attributeName="http://macedir.org/entity-category"
+ attributeValue="http://refeds.org/category/research-and-scholarship" />
+
+ <AttributeRule attributeID="displayName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="givenName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="surname">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="email">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonPrincipalName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonScopedAffiliation">
+ <PermitValueRule xsi:type="OR">
+ <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+ <Rule xsi:type="Value" value="student" ignoreCase="true" />
+ <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+ <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+ <Rule xsi:type="Value" value="member" ignoreCase="true" />
+ <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+ <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+ <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+ </PermitValueRule>
+ </AttributeRule>
+ </AttributeFilterPolicy>
+
+ <!-- Release some attributes to an SP. -->
+ <!-- Note: requester seems to need the path /shibboleth to be included to match this! -->
+ <AttributeFilterPolicy id="sp.nordu.dev">
+ <PolicyRequirementRule xsi:type="Requester" value="https://sp.nordu.dev/shibboleth" />
+ <!-- <PolicyRequirementRule xsi:type="ANY" /> -->
+ <AttributeRule attributeID="eduPersonPrincipalName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="uid">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="mail">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="givenName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="surname">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="displayName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="commonName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="employeeType">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="email">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonEntitlement">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="mailLocalAddress">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ <AttributeRule attributeID="eduPersonScopedAffiliation">
+ <PermitValueRule xsi:type="OR">
+ <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+ <Rule xsi:type="Value" value="student" ignoreCase="true" />
+ <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+ <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+ <Rule xsi:type="Value" value="member" ignoreCase="true" />
+ <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+ <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+ <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+ </PermitValueRule>
+ </AttributeRule>
+ <AttributeRule attributeID="organizationName">
+ <PermitValueRule xsi:type="ANY" />
+ </AttributeRule>
+ </AttributeFilterPolicy>
</AttributeFilterPolicyGroup>
generated by cgit v1.1 at 2025-07-22 06:35:34 +0000