relaxed scoped attribute checking
Cantor, Scott
cantor.2 at osu.edu
Sat May 17 11:48:31 EDT 2014
On 5/16/14, 10:30 PM, "Peter Schober" <peter.schober at univie.ac.at> wrote:
>From a quick look one way to do that would be to change the default
>"ScopingRules" PermitValueRule type from AND to OR and 'or' anything
>that exists together with another rule like of type
>"basic:AttributeIssuerString" and value="https://idp.example.org/entity".
To avoid losing the regex check, you probably want something like:
<afp:PermitValueRule id="ScopingRules" xsi:type="AND">
<Rule xsi:type="NOT">
<Rule xsi:type="AttributeValueRegex" regex="@"/>
</Rule>
<Rule xsi:type="OR">
<Rule xsi:type="saml:AttributeScopeMatchesShibMDScope"/>
<Rule xsi:type="AttributeIssuerString" value="entityID"/>
</Rule>
</afp:PermitValueRule>
(default namespace in my file is the "basic" one, that's why the rule
types don't have basic: in front of them)
-- Scott
More information about the users
mailing list