Attribute filter policy conditional on existence of attribute?

Baron Fujimoto baron at hawaii.edu
Fri Nov 18 18:20:52 UTC 2022 

Using ValueRegex, this seems to work:

    <AttributeFilterPolicy id="example">
        <PolicyRequirementRule xsi:type="Requester"
                value="https://example.com/sp" />

        <AttributeRule attributeID="attrFoo">
            <PermitValueRule xsi:type="NOT">
               <Rule xsi:type="ValueRegex" attributeID="attrBar" regex="."
/>
            </PermitValueRule>
        </AttributeRule>

        <AttributeRule attributeID="uhAltUid">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>

    </AttributeFilterPolicy>

I originally also looked at using ValueRegex, but on the
ValueRegexConfiguration wiki page at <
https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631548/ValueRegexConfiguration>,
this approach looks like the Compound Matcher example which is labeled as
deprecated, so that gave me pause and is why I settled on non-viable
NumberOfAttributeValues attempt. Is this not a deprecated Compound Matcher
as in that example?

On Fri, Nov 18, 2022 at 2:13 AM Rod Widdowson <rdw at steadingsoftware.com>
wrote:

> It turns out that right now if you do a ValueRegex PolicyRule and the
> attribute doesn't exist then the PolicyRule is false.  So
>
>         <PolicyRequirementRule xsi:type="ValueRegex" regex=".*"
> attributeID="attrfoo"/>
>
> Right now (and only right now), you are testing for the attribute having
> any (String) value and thus being present.
>
> However this behavior is not documented and may change in a future
> release.  In particular this area of code (how we deal with things not
> being there) is under active development so I'd defer strongly to Scott
> about this.
>
> Me, I'd not rely on this until I saw it documented.
>
>         /Rod
>
>
>
> --
> For Consortium Member technical support, see
> https://shibboleth.atlassian.net/wiki/x/ZYEpPw
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>


-- 
Baron Fujimoto <baron at hawaii.edu> ::: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221118/b6c49726/attachment.htm>

More information about the users mailing list