relaxed scoped attribute checking

Cantor, Scott cantor.2 at
Sat May 17 11:48:31 EDT 2014

On 5/16/14, 10:30 PM, "Peter Schober" <peter.schober at> wrote:

>From a quick look one way to do that would be to change the default
>"ScopingRules" PermitValueRule type from AND to OR and 'or' anything
>that exists together with another rule like of type
>"basic:AttributeIssuerString" and value="".

To avoid losing the regex check, you probably want something like:

<afp:PermitValueRule id="ScopingRules" xsi:type="AND">
	<Rule xsi:type="NOT">
		<Rule xsi:type="AttributeValueRegex" regex="@"/>
	<Rule xsi:type="OR">
		<Rule xsi:type="saml:AttributeScopeMatchesShibMDScope"/>
		<Rule xsi:type="AttributeIssuerString" value="entityID"/>

(default namespace in my file is the "basic" one, that's why the rule
types don't have basic: in front of them)

-- Scott

More information about the users mailing list