Attribute filter policy conditional on existence of attribute?

Baron Fujimoto baron at
Fri Nov 18 01:41:04 UTC 2022

I'd like to define an AttributeFilterPolicy that conditionally releases one
of two attributes depending on whether one of the two exists or not. In
pseudocode, essentially:

If ( defined attrFoo ) {
    permit attrFoo
else {
    permit attrBar

There's probably a best practice way to accomplish this, which isn't the
following, and I would appreciate any suggestions.

My first (failed) attempt was something like:

    <AttributeFilterPolicy id="example">
        <PolicyRequirementRule xsi:type="Requester"
                value="" />

        <AttributeRule attributeID="attrFoo">
            <PermitValueRule xsi:type="NumberOfAttributeValues"
attributeID="attrFoo" minimum="1" maximum="1" />

        <AttributeRule attributeID="attrBar">
            <PermitValueRule xsi:type="NumberOfAttributeValues"
attributeID="attrFoo" minimum="0" maximum="0" />


But this resulted an error

- Service 'shibboleth.AttributeFilterService': Reload for
shibboleth.AttributeFilterService failed Failed to
load [file [/home/shib/idp/conf/attribute-filter.xml], class path resource
Caused by: org.springframework.beans.PropertyBatchUpdateException: Failed
properties: Property 'maximum' threw exception; nested exception is
max value must be > 0

The wiki page for NumberOfAttributeValuesConfiguration at <>
"The policy returns true iff the number of values is >= 'minimum' and  the
number of values is  <= 'maximum'." and that maximum must be a,
"Non-negative (>=0) Integer", so it seems like this should have worked? Or
are the docs incorrect and it should really be "Positive (>0) Integer"? Or
I'm missing something else (and moot, if there's a better way to accomplish

This is IdP v4.2.1
Baron Fujimoto <baron at> ::: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list