Restrict attribute values based on SP entity?

Peter Schober peter.schober at univie.ac.at
Tue Nov 15 12:18:34 EST 2016


* Brian Mathis <brian.mathis at gmail.com> [2016-11-15 17:56]:
> I've tried various combinations of AttributeFilterPolicies and
> AttributeRules, but they all seem to either allow everything or block
> everything.  I'm starting from the default attribute-policy.xml
> file.

Here's a slighly simpler example I've used in the past: Accepting the
"uid" attribute only from a specific IDP, and rejecting all uid
attributes from anywhere else:

In its own rule, near the end of the file policy file (you could amend
that with more specific rules about the values) I accept any uid from
this IDP:

    <afp:AttributeFilterPolicy>
        <afp:PolicyRequirementRule xsi:type="basic:AttributeIssuerString" value="https://idp.example.org/shibboleth" />
        <afp:AttributeRule attributeID="uid">
            <afp:PermitValueRule xsi:type="ANY"/>
        </afp:AttributeRule>
    </afp:AttributeFilterPolicy>

Then within the existing always-runs rule near the top:

    <afp:AttributeFilterPolicy>
        <!-- This policy is in effect in all cases. -->
	<afp:PolicyRequirementRule xsi:type="ANY"/>

I added a deny rule to deny "uid" from everywhere:

    <!-- Deny acceptance of uid attribute BUT allow it from specific IDPs elsewhere -->
    <afp:AttributeRule attributeID="uid">
        <afp:DenyValueRule xsi:type="ANY"/>
    </afp:AttributeRule>

right before the "catch-all" that accepts everything else (for
clarity, order doesn't atter otherwise):

    <!-- Catch-all that passes everything else through unmolested. -->
    <afp:AttributeRule attributeID="*">
        <afp:PermitValueRule xsi:type="ANY"/>
    </afp:AttributeRule>

HTH,
-peter


More information about the users mailing list