Help with Specific Attribute Filter
Jason Rotunno
jrotunno at swarthmore.edu
Fri Nov 12 16:05:06 UTC 2021
Ah, well that sounds easy. Thanks Steve!
Jason
On Fri, Nov 12, 2021 at 11:03 AM Mak, Steve <makst at upenn.edu> wrote:
> You can make a new filter policy just for that SP and set a deny rule on
> eduPersonScopedAffiliation. Deny rules always win.
>
>
>
> *From: *users <users-bounces at shibboleth.net> on behalf of Jason Rotunno <
> jrotunno at swarthmore.edu>
> *Reply-To: *Shib Users <users at shibboleth.net>
> *Date: *Friday, November 12, 2021 at 11:01 AM
> *To: *Shib Users <users at shibboleth.net>
> *Subject: *Help with Specific Attribute Filter
>
>
>
> Hey All,
>
>
>
> We're running Shibboleth IdP 4.0.1 and have an attribute filter to release
> a set of core attributes to InCommon members:
>
>
>
> <!-- Attribute release for all InCommon SPs -->
>
> <AttributeFilterPolicy id="releaseToInCommon">
>
> <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
>
> attributeName="http://macedir.org/entity-category
> <https://urldefense.com/v3/__http:/macedir.org/entity-category__;!!IBzWLUs!C1_TXp1E72lGzoj5JEZUiCuW6FAg9rdwyUb7lM-x_3jFmBNhnvXgmLo9OKR5pA$>
> "
>
> attributeValue="
> http://id.incommon.org/category/registered-by-incommon
> <https://urldefense.com/v3/__http:/id.incommon.org/category/registered-by-incommon__;!!IBzWLUs!C1_TXp1E72lGzoj5JEZUiCuW6FAg9rdwyUb7lM-x_3jFmBNhnvXgmLp5-Y-UWg$>
> "/>
>
> <AttributeRule attributeID="eduPersonPrincipalName">
>
> <PermitValueRule xsi:type="ANY" />
>
> </AttributeRule>
>
> <AttributeRule attributeID="eduPersonScopedAffiliation">
>
> <PermitValueRule xsi:type="ANY" />
>
> </AttributeRule>
>
> <AttributeRule attributeID="givenName">
>
> <PermitValueRule xsi:type="ANY" />
>
> </AttributeRule>
>
> <AttributeRule attributeID="surname">
>
> <PermitValueRule xsi:type="ANY" />
>
> </AttributeRule>
>
> <AttributeRule attributeID="displayName">
>
> <PermitValueRule xsi:type="ANY" />
>
> </AttributeRule>
>
> <AttributeRule attributeID="email">
>
> <PermitValueRule xsi:type="ANY" />
>
> </AttributeRule>
>
> </AttributeFilterPolicy>
>
>
>
> There's a particular InCommon SP for which we have to omit sending the
> eduPersonScopedAffiliation attribute and I haven't been able to figure out
> how to do that. Does anyone have an idea of how to achieve this?
>
>
>
> Thanks,
>
> Jason
>
>
>
>
>
> --
>
> Jason Rotunno
>
> System & Security Administrator
>
> Swarthmore College
>
> 500 College Ave
>
> Swarthmore, PA 19081
>
> 610.328.8505
>
> *VERIFY before you click!!*
>
> - Attackers make their emails look like they come from someone they don't.
>
> - Attackers make links look like they go to websites they don't.
>
> - Attackers disguise malware as receipts, invoices, faxes, etc.
>
> Forward suspicious emails to phishing at swarthmore.edu.
>
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
--
Jason Rotunno
System & Security Administrator
Swarthmore College
500 College Ave
Swarthmore, PA 19081
610.328.8505
*VERIFY before you click!!*
- Attackers make their emails look like they come from someone they don't.
- Attackers make links look like they go to websites they don't.
- Attackers disguise malware as receipts, invoices, faxes, etc.
Forward suspicious emails to phishing at swarthmore.edu.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20211112/1ded6b17/attachment.htm>
More information about the users
mailing list