-
Notifications
You must be signed in to change notification settings - Fork 7
AttributeFilterConfiguration
jalauros edited this page Oct 10, 2017
·
29 revisions
For basic attribute filtering you should refer to Shibboleth IdP 3 AttributeFilterConfiguration. Here we document the additional components provided by shibboleth oidc extension.
OIDC extension RuleTypes for AttributeFilterPolicyConfiguration
- oidcext:OIDCScope, PolicyRule for comparing the scope values of the authentication request to a string.
The first example releases a attribute to all openid rps (and only for those). The second example releases attributes to a specific openid rp if and only if scope value info is set to request.
<PolicyRequirementRule xsi:type="oidcext:OIDCScope" value="openid" />
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
<AttributeFilterPolicy id="DEMO_RP_SCOPE_INFO">
<PolicyRequirementRule xsi:type="AND">
<Rule xsi:type="Requester" value="demo_rp" />
<Rule xsi:type="oidcext:OIDCScope" value="info" />
</PolicyRequirementRule>
<AttributeRule attributeID="eduPersonAffiliation">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>```