-
Notifications
You must be signed in to change notification settings - Fork 7
AttributeFilterConfiguration
jalauros edited this page Mar 6, 2018
·
29 revisions
For basic attribute filtering you should refer to Shibboleth IdP 3 AttributeFilterConfiguration. Here we document the additional components provided by shibboleth oidc extension.
There are few special claims/attributes that are always returned regardless off attribute filtering, Special Claims. In the case userinfo endpoint is in use, there may need to be control over which claims are released in id token and which from userinfo endpoint, that is described in Splitting Claims.
OIDC extension RuleTypes for AttributeFilterPolicyConfiguration
- oidcext:OIDCScope, PolicyRule for comparing the scope values of the authentication request to a string.
- oidcext:AttributeInOIDCRequestedClaims, Matcher for comparing the attribute values to requested claims of oidc authentication request.
The first example releases a attribute to all openid rps (and only for those).
The second example releases attributes to a specific openid rp if scope value info is set to request.
<AttributeFilterPolicy id="ALL_OPENID_CLIENTS">
<PolicyRequirementRule xsi:type="oidcext:OIDCScope" value="openid" />
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
<AttributeFilterPolicy id="DEMO_RP_SCOPE_INFO">
<PolicyRequirementRule xsi:type="AND">
<Rule xsi:type="Requester" value="demo_rp" />
<Rule xsi:type="oidcext:OIDCScope" value="info" />
</PolicyRequirementRule>
<AttributeRule attributeID="eduPersonAffiliation">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>