AttributeFilterConfiguration

For basic attribute filtering you should refer to Shibboleth IdP 3 AttributeFilterConfiguration. Here we document the additional policy rules and matchers provided by shibboleth oidc extension. Please note that you do not need to use oidc specific policy rules or matchers to release claims to relying party, they are only a addition to existing tooolset.

You should note that there are few special claims/attributes that are always returned regardless off attribute filtering, Special Claims.

The topic of Splitting Claims is documented for more advanced use cases.

OIDC extension RuleTypes for AttributeFilterPolicyConfiguration

• oidcext:OIDCScope, PolicyRule for comparing the scope values of the authentication request to a string.
• oidcext:AttributeInOIDCRequestedClaims, Matcher for comparing the attribute values to requested claims of oidc authentication request.

Example

The first example releases a attribute to all openid rps (and only for those).

The second example releases attributes to a specific openid rp if scope value info is set to request.

<AttributeFilterPolicy id="ALL_OPENID_CLIENTS">
    <PolicyRequirementRule xsi:type="oidcext:OIDCScope" value="openid" />
    <AttributeRule attributeID="eduPersonPrincipalName">
        <PermitValueRule xsi:type="ANY" />
    </AttributeRule>
</AttributeFilterPolicy>

<AttributeFilterPolicy id="DEMO_RP_SCOPE_INFO">
    <PolicyRequirementRule xsi:type="AND">
        <Rule xsi:type="Requester" value="demo_rp" />
        <Rule xsi:type="oidcext:OIDCScope" value="info" />
    </PolicyRequirementRule>
    <AttributeRule attributeID="eduPersonAffiliation">
        <PermitValueRule xsi:type="ANY" />
    </AttributeRule>
    <AttributeRule attributeID="mail">
        <PermitValueRule xsi:type="ANY" />
    </AttributeRule>
</AttributeFilterPolicy>