Restrict attribute values based on SP entity?
Peter Schober
peter.schober at univie.ac.at
Tue Nov 15 12:18:34 EST 2016
* Brian Mathis <brian.mathis at gmail.com> [2016-11-15 17:56]:
> I've tried various combinations of AttributeFilterPolicies and
> AttributeRules, but they all seem to either allow everything or block
> everything. I'm starting from the default attribute-policy.xml
> file.
Here's a slighly simpler example I've used in the past: Accepting the
"uid" attribute only from a specific IDP, and rejecting all uid
attributes from anywhere else:
In its own rule, near the end of the file policy file (you could amend
that with more specific rules about the values) I accept any uid from
this IDP:
<afp:AttributeFilterPolicy>
<afp:PolicyRequirementRule xsi:type="basic:AttributeIssuerString" value="https://idp.example.org/shibboleth" />
<afp:AttributeRule attributeID="uid">
<afp:PermitValueRule xsi:type="ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
Then within the existing always-runs rule near the top:
<afp:AttributeFilterPolicy>
<!-- This policy is in effect in all cases. -->
<afp:PolicyRequirementRule xsi:type="ANY"/>
I added a deny rule to deny "uid" from everywhere:
<!-- Deny acceptance of uid attribute BUT allow it from specific IDPs elsewhere -->
<afp:AttributeRule attributeID="uid">
<afp:DenyValueRule xsi:type="ANY"/>
</afp:AttributeRule>
right before the "catch-all" that accepts everything else (for
clarity, order doesn't atter otherwise):
<!-- Catch-all that passes everything else through unmolested. -->
<afp:AttributeRule attributeID="*">
<afp:PermitValueRule xsi:type="ANY"/>
</afp:AttributeRule>
HTH,
-peter
More information about the users
mailing list