AttributeFilters to prevent specific users to use an SP?

Kanuch, Andrew Andy.Kanuch at
Tue Feb 26 15:26:56 EST 2013

Thanks, Peter and Scott. The filter policy is working for me now.   I was unable to find any examples on the wiki that used NOT as a basic rule,  so I did not realize it needed a separate ending tag to encapsulate the rule it was NOTing..  Stupid mistake on my part. Now I'm slightly less stupid though, so that's nice. : )

-----Original Message-----
From: users-bounces at [mailto:users-bounces at] On Behalf Of Peter Schober
Sent: Tuesday, February 26, 2013 1:32 PM
To: users at
Subject: Re: AttributeFilters to prevent specific users to use an SP?

* Kanuch, Andrew <Andy.Kanuch at> [2013-02-26 19:54]:
> Is it possible to use an Attribute Filter policy to a prevent a subset 
> of users from being able to pass attributes to a Specific Service 
> provider?


> For example:  A filter policy that allows passes user attributes 
> (eduPersonAffiliation, givenName, EPPN, description) to the SP 
>,  *unless* the user account has the value of "Student" 
> in their LDAP(AD) account description field.
> I've attempted to do this using some AND and NOT rules,  but I don't 
> think the Policy Requirement Rule likes having those nested because it 
> breaks the 1 Rule Only rule for PolicyRequirementRule (Copy of policy 
> below.)

That would work (if dont correctly).

> ( Is it best practice to craft individual Attribute Filter Polices 
> based on specific SP needs,  or around individual attributes? )

I do/did both, depending on what makes more sense for a given use case.
Generally I have the filter structured by attribute (because we have more SPs than attributes, which makes for less rules with lists of OR'ed SPs within).
For SPs needing specical attentiaon (usually custom eduPersoneEntitlement values only meant for a specific SP) I have rules by SP. That same SP might also be matched by other rules (see above), which could be misleading, I suppose.

>                 <afp:AttributeFilterPolicy id="testshibby">
>                                 <afp:PolicyRequirementRule 
> xsi:type="basic:AND">
>                                                 <basic:Rule xsi:type="basic:NOT">
> <basic:Rule xsi:type="basic:AttributeValueString" 
> attributeID="description" value="student"/>
>                                                 <basic:Rule 
> xsi:type="basic:AttributeRequesterString" 
> value="" ignoreCase="true"/>
>                                 </afp:PolicyRequirementRule>

Kind of hard to read with the intention and on the small screen I'm at currently, but that's not valid (not well-formed XML either, a basic check you should /always/ perform when eduting any XML; here the NOT rule has content but no closing tag), but try reversing the NOT and AND rules to become NOT ( AND ( student testshib ) ), so to speak.
NOT can only negate a single "think". If you want to negate several things combine them into a single "thing" via AND or OR, -peter
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list