ValueConfiguration differs from IdP v3.x to v4.x?

[Cantor, Scott]

On 5/16/20, 12:45 PM, "users on behalf of Marco Malavolti" <users-bounces at shibboleth.net on behalf of marco.malavolti at garr.it> wrote:

> I have 2 different attribute filters:
> 1) One to release all required attribute to resources belonging to my
> identity Federation and satisfied with:

The problem is that you're never going to end up with any practical result that way, there's very little accurate metadata for that sort of thing. Obviously, in this case what you're seeing is that nobody's telling you *what* entitlement they actually require. It's never going to be sensible to just ask for "eduPersonEntitlement" without that part. So the metadata's wrong, and you get the wrong result by using it for attribute release.

> Both are valid rules and the first one causes the releasing of all
> attributes of eduPersonEntitlement.

Rules are additive, they just accumulate "permit" results. Only explicit Deny rules will override a Permit.

> Are there other valid solution than change the attribute filter 1) into:

You can use a DenyValueRule for Elsevier I guess, but I think the fundamental fix is just get rid of the AttributeInMetadata rule. It might have some local applicability for metadata you control, but it's pretty unworkable beyond that unless you have very meticulous oversight of the metadata happening by somebody else.

I moved to metadata tags to drive my attribute release last year and got rid of most of my special rules. I have default release of some data, and then I also added an entity category tag that I use to signal "no-default-release", which turns off the defaults, and then I add tags per-attribute to SPs that need something specific. I barely ever touch the filter policy anymore.

-- Scott