-
Notifications
You must be signed in to change notification settings - Fork 7
AttributeFilterConfiguration
For basic attribute filtering you should refer to Shibboleth IdP 3 AttributeFilterConfiguration. Here we document the additional components provided by shibboleth oidc extension.
OIDC extension RuleTypes for AttributeFilterPolicyConfiguration
- oidcext:OIDCScope, PolicyRule for comparing the scope values of the authentication request to a string.
The example releases a attribute to all openid rps (and only for those).
<AttributeFilterPolicy id="ALL_OPENID_CLIENTS"> <PolicyRequirementRule xsi:type="oidcext:OIDCScope" value="openid" /> <AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> </AttributeFilterPolicy>
The example releases attributes to a specific openid rp if and only if scope value info is set to request.
<AttributeFilterPolicy id="DEMO_RP_SCOPE_INFO"> <PolicyRequirementRule xsi:type="AND"> <Rule xsi:type="Requester" value="demo_rp" /> <Rule xsi:type="oidcext:OIDCScope" value="info" /> </PolicyRequirementRule> <AttributeRule attributeID="eduPersonAffiliation"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> <AttributeRule attributeID="mail"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> </AttributeFilterPolicy>