Help with Specific Attribute Filter

Mak, Steve makst at
Fri Nov 12 16:03:09 UTC 2021

You can make a new filter policy just for that SP and set a deny rule on eduPersonScopedAffiliation. Deny rules always win.

From: users <users-bounces at> on behalf of Jason Rotunno <jrotunno at>
Reply-To: Shib Users <users at>
Date: Friday, November 12, 2021 at 11:01 AM
To: Shib Users <users at>
Subject: Help with Specific Attribute Filter

Hey All,

We're running Shibboleth IdP 4.0.1 and have an attribute filter to release a set of core attributes to InCommon members:

<!-- Attribute release for all InCommon SPs -->
<AttributeFilterPolicy id="releaseToInCommon">
    <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
    <AttributeRule attributeID="eduPersonPrincipalName">
        <PermitValueRule xsi:type="ANY" />
    <AttributeRule attributeID="eduPersonScopedAffiliation">
        <PermitValueRule xsi:type="ANY" />
    <AttributeRule attributeID="givenName">
        <PermitValueRule xsi:type="ANY" />
    <AttributeRule attributeID="surname">
        <PermitValueRule xsi:type="ANY" />
    <AttributeRule attributeID="displayName">
        <PermitValueRule xsi:type="ANY" />
    <AttributeRule attributeID="email">
        <PermitValueRule xsi:type="ANY" />

There's a particular InCommon SP for which we have to omit sending the eduPersonScopedAffiliation attribute and I haven't been able to figure out how to do that. Does anyone have an idea of how to achieve this?



Jason Rotunno

System & Security Administrator

Swarthmore College

500 College Ave

Swarthmore, PA 19081


VERIFY before you click!!

  - Attackers make their emails look like they come from someone they don't.

  - Attackers make links look like they go to websites they don't.

  - Attackers disguise malware as receipts, invoices, faxes, etc.

Forward suspicious emails to phishing at<mailto:phishing at>.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list