Each attribute rule contains one and only one value rule.
Christopher Bongaarts
cab at umn.edu
Fri Feb 15 12:13:41 EST 2013
The strategy I've had to use, when wanting to make release of some
attributes values conditional on some other attribute, is to make each
condition a separate AttributeFilterPolicy altogether, and put the
condition in the PolicyRequirementRule. So your example would be (rough
pseudo-xml, watch out for namespaces i may have omitted):
<AttributeFilterPolicy id="spxxx_ou=cs_entitlements">
<PolicyRequirementRule xsi:type="basic:AND">
<basic:Rule xsi:type="..." <!-- existing PRR goes here, e.g.
requesting SP -->
<basic:Rule xsi:type="AttributeValueRegex"
attributeID="distinguishedName" regex="^OU=ComputerScience.*$">
</PolicyRequirementRule>
<AttributeRule attributeID="eduPersonEntitlement">
<PermitValueRule xsi:type="basic:OR">
<basic:Rule xsi:type="basic:AttributeValueString"
value="urn:mace:heanet.ie:edugate:sp:onthehub:13209481" ignoreCase="true"/>
<basic:Rule xsi:type="basic:AttributeValueString"
value="urn:mace:heanet.ie:edugate:sp:onthehub:14556661" ignoreCase="true"/>
</PermitValueRule>
</AttributeRule>
</AttributeFilterPolicy>
Then make another AFP for ou=HumanitiesStudent, etc.
On 2/15/2013 10:39 AM, Glenn Wearen wrote:
> In my setup I assign every known values of ePe to all users in the
> resolver and then attempt to filter the values based on some other
> attributes value.
>
> But I think what I'm trying to do cannot be achieved due the limitation
> that "Each attribute rule contains one and only one value rule."
> (https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAddAttributeFilter#IdPAddAttributeFilter-3DefineAttributeRules )
>
> this is what I've come up with…
>
>
> <afp:AttributeRule attributeID="eduPersonEntitlement"
> xsi:type="basic:OR">
> <basic:Rule xsi:type="AttributeValueRegex"
> attributeID="distinguishedName" regex="^OU=ComputerScience.*$">
> <afp:PermitValueRule xsi:type="basic:OR">
> <basic:Rule
> xsi:type="basic:AttributeValueString"
> value="urn:mace:heanet.ie:edugate:sp:onthehub:13209481" ignoreCase="true"/>
> <basic:Rule
> xsi:type="basic:AttributeValueString"
> value="urn:mace:heanet.ie:edugate:sp:onthehub:14556661" ignoreCase="true"/>
> </afp:PermitValueRule>
> </basic:Rule>
> <basic:Rule xsi:type="basic:AttributeValueRegex"
> attributeID="distinguishedName" regex="^OU=HumanitiesStudent.*$">
> <afp:PermitValueRule xsi:type="basic:OR">
> <basic:Rule
> xsi:type="basic:AttributeValueString"
> value="urn:mace-dir:heanet.ie:edugate:sp:onthehub:69303931"
> ignoreCase="true"/>
> <basic:Rule
> xsi:type="basic:AttributeValueString"
> value="urn:mace-dir:heanet.ie:edugate:sp:onthehub:98632322"
> ignoreCase="true"/>
> </afp:PermitValueRule>
> </basic:Rule>
> </afp:AttributeRule>
>
> This raises the error "ERROR
> [edu.internet2.middleware.shibboleth.common.config.BaseService:188] -
> Configuration was not loaded for shibboleth.AttributeFilterEngine
> service, error creating components. The root cause of this error was:
> org.xml.sax.SAXParseException: cvc-elt.4.3: Type 'basic:OR' is not
> validly derived from the type definition, 'AttributeRuleType', of
> element 'afp:AttributeRule'."
>
> I had a look at the schema and I don't think it allows for an OR on an
> AttributeRule.
>
> Anybody got a suggestion that doesn't involve a script resolver, or a
> script matching rule
> <https://wiki.shibboleth.net/confluence/display/SHIB2/IdPFilterRequirementScript>?
> Glenn
>
> Edugate <http://www.edugate.ie> Operations
> HEAnet Limited <http://www.heanet.ie>, Ireland's Education and Research
> Network -
> 1st Floor, 5 George's Dock, IFSC, Dublin 1
> Registered in Ireland, no 275301 tel: +353-1-6609040 fax: +353-1-6603666
>
>
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
--
%% Christopher A. Bongaarts %% cab at umn.edu %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
More information about the users
mailing list