<?xml version="1.0" encoding="UTF-8"?>
 
<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
        xmlns="urn:mace:shibboleth:2.0:afp"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
 
    <!-- Examples of entityId based release to a demo Service Providers -->
    <AttributeFilterPolicy id="demosp">
      <PolicyRequirementRule xsi:type="OR">
        <Rule xsi:type="Requester" value="https://demosp.sanet.sk/sp" />
      </PolicyRequirementRule>
 
      <AttributeRule attributeID="givenName" permitAny="true" />
      <AttributeRule attributeID="sn" permitAny="true" />
      <AttributeRule attributeID="displayName" permitAny="true" />
      <AttributeRule attributeID="cn" permitAny="true" />
      <AttributeRule attributeID="mail" permitAny="true" />
      <AttributeRule attributeID="eduPersonAssurance" permitAny="true" />
      <AttributeRule attributeID="eduPersonAffiliation" permitAny="true" />
      <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" />
      <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
      <AttributeRule attributeID="eduPersonEntitlement" permitAny="true" />
      <AttributeRule attributeID="o" permitAny="true" />
      <AttributeRule attributeID="samlPairwiseID" permitAny="true" />
      <AttributeRule attributeID="samlSubjectID" permitAny="true" />
      <AttributeRule attributeID="schacHomeOrganization" permitAny="true" />
      <AttributeRule attributeID="schacHomeOrganizationType" permitAny="true" />
      <AttributeRule attributeID="schacPersonalUniqueCode" permitAny="true" />
    </AttributeFilterPolicy>
 
    <!-- Rule to honour Subject ID requirement tag in metadata. -->
    <!-- Used in combination with GEANT/REFEDS Code of Conduct v* -->
    <!-- Code of Conduct can be combined with other entity categories -->
    <AttributeFilterPolicy id="subject-identifiers">
      <PolicyRequirementRule xsi:type="OR">
        <Rule xsi:type="EntityAttributeExactMatch"
            attributeName="http://macedir.org/entity-category"
            attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1"/>
        <Rule xsi:type="EntityAttributeExactMatch"
            attributeName="http://macedir.org/entity-category"
            attributeValue="https://refeds.org/category/code-of-conduct/v2"/>
      </PolicyRequirementRule>
 
      <AttributeRule attributeID="samlPairwiseID">
        <PermitValueRule xsi:type="OR">
          <Rule xsi:type="EntityAttributeExactMatch"
              attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
              attributeValue="pairwise-id" />
          <Rule xsi:type="EntityAttributeExactMatch"
              attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
              attributeValue="any" />
        </PermitValueRule>
      </AttributeRule>
      <AttributeRule attributeID="samlSubjectID">
        <PermitValueRule xsi:type="EntityAttributeExactMatch"
            attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
            attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
            attributeValue="subject-id" />
      </AttributeRule>
    </AttributeFilterPolicy>
 
    <!-- REFEDS Research and Scholarship -->
    <!-- https://refeds.org/category/research-and-scholarship -->
    <!-- https://www.eduid.cz/cs/tech/categories/rs -->
    <AttributeFilterPolicy id="releasetoRandS">
      <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
        attributeName="http://macedir.org/entity-category"
        attributeValue="http://refeds.org/category/research-and-scholarship"/>
      <!-- RandS requires: An identifier, email and a person's name.
        If ePPN values could be reassigned you MUST also release
        eduPersonTargetedID/persistent NameID. Always releasing ePTID/persistent
        NameID is recommended, though. As is releasing givenName+sn
        in addition to displayName, to help with interoperability. -->
      <AttributeRule attributeID="eduPersonAssurance" permitAny="true" />
      <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" />
      <AttributeRule attributeID="eduPersonTargetedID" permitAny="true" />
      <AttributeRule attributeID="mail" permitAny="true" />
      <AttributeRule attributeID="displayName" permitAny="true" />
      <AttributeRule attributeID="givenName" permitAny="true" />
      <AttributeRule attributeID="sn" permitAny="true" />
      <!-- Affiliation is optional but release is "strongly recommended". -->  
      <AttributeRule attributeID="eduPersonScopedAffiliation">
        <PermitValueRule xsi:type="OR">
          <Rule xsi:type="Value" value="faculty" caseSensitive="false"/>
          <Rule xsi:type="Value" value="student" caseSensitive="false"/>
          <Rule xsi:type="Value" value="staff" caseSensitive="false"/>
          <Rule xsi:type="Value" value="alum" caseSensitive="false"/>
          <Rule xsi:type="Value" value="member" caseSensitive="false"/>
          <Rule xsi:type="Value" value="affiliate" caseSensitive="false"/>
          <Rule xsi:type="Value" value="employee" caseSensitive="false"/>
          <Rule xsi:type="Value" value="library-walk-in" caseSensitive="false"/>
        </PermitValueRule>
      </AttributeRule>
    </AttributeFilterPolicy>
 
    <!-- GEANT Data protection Code of Conduct or REFEDS Data Protection Code of Conduct Entity Category -->
    <!-- Release data to EU/EEA/Adequate CoCo-SPs, based on RequestedAttributes in SAML metadata -->
    <AttributeFilterPolicy id="GeantEEADataProtectionCodeOfConduct">
        <PolicyRequirementRule xsi:type="OR">
            <Rule xsi:type="EntityAttributeExactMatch"
                attributeName="http://macedir.org/entity-category"
                attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" />
            <Rule xsi:type="EntityAttributeExactMatch"
                attributeName="http://macedir.org/entity-category"
                attributeValue="https://refeds.org/category/code-of-conduct/v2" />
        </PolicyRequirementRule>
 
        <AttributeRule attributeID="displayName">
            <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        <AttributeRule attributeID="givenName">
            <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        <AttributeRule attributeID="sn">
            <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        <AttributeRule attributeID="cn">
            <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true"/>
        </AttributeRule>
        <AttributeRule attributeID="mail">
            <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonAssurance">
            <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonAffiliation">
            <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonScopedAffiliation">
            <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonTargetedID">
            <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false" />
        </AttributeRule>
        <!-- Deprecated, unlikely to be used in the future
        <AttributeRule attributeID="eduPersonUniqueId">
            <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        -->
        <AttributeRule attributeID="eduPersonPrincipalName">
            <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonEntitlement">
            <PermitValueRule xsi:type="AND">
                <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
                <Rule xsi:type="OR">
                    <Rule xsi:type="Value" value="urn:mace:dir:entitlement:common-lib-terms"/>
                    <Rule xsi:type="Value" value="urn:mace:terena.org:tcs:personal-user"/>
                </Rule>
            </PermitValueRule>
        </AttributeRule>
        <!-- ESI release tracks the members of ESI Entity Category instead of CoCo EC
        <AttributeRule attributeID="schacPersonalUniqueCode">
            <PermitValueRule xsi:type="AND">
                <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
                <Rule xsi:type="ValueRegex" regex="^urn:schac:personalUniqueCode:int:esi:.*$" />
            </PermitValueRule>
        </AttributeRule>
        -->
        <AttributeRule attributeID="schacHomeOrganization">
            <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false" />
        </AttributeRule>
        <AttributeRule attributeID="schacHomeOrganizationType">
            <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false" />
        </AttributeRule>
    </AttributeFilterPolicy>
 
    <!-- ESI European Student Identifier -->
    <AttributeFilterPolicy id="entity-category-european-student-identifier">
        <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
            attributeName="http://macedir.org/entity-category"
            attributeValue="https://myacademicid.org/entity-categories/esi" />
        <AttributeRule attributeID="schacPersonalUniqueCode">
            <PermitValueRule xsi:type="ValueRegex" regex="^urn:schac:personalUniqueCode:int:esi:.*" />
        </AttributeRule>
        <AttributeRule attributeID="eduPersonEntitlement">
            <PermitValueRule xsi:type="AND">
                <Rule xsi:type="AttributeInMetadata" onlyIfRequired="false" />
                <Rule xsi:type="Value" value="urn:geant:erasmuswithoutpaper.eu:ewp:admin"/>
            </PermitValueRule>
        </AttributeRule>
    </AttributeFilterPolicy>
 
    <!-- Release to TCS portal -->
    <AttributeFilterPolicy id="TCSportal">
      <PolicyRequirementRule xsi:type="Requester" value="https://cert-manager.com/shibboleth" />
      <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" />
      <AttributeRule attributeID="displayName" permitAny="true" />
      <AttributeRule attributeID="cn" permitAny="true" />
      <AttributeRule attributeID="givenName" permitAny="true" />
      <AttributeRule attributeID="sn" permitAny="true" />
      <AttributeRule attributeID="mail" permitAny="true" />
      <AttributeRule attributeID="schacHomeOrganization" permitAny="true" />
      <AttributeRule attributeID="eduPersonEntitlement">
        <PermitValueRule xsi:type="Value" value="urn:mace:terena.org:tcs:personal-user" />
      </AttributeRule>
    </AttributeFilterPolicy>
 
    <!-- Fallback attribute release to anyone -->
    <!-- Adjust the list to match a local privacy policy -->
    <AttributeFilterPolicy id="DataToAnyServiceViaTrustedMetadata">
      <PolicyRequirementRule xsi:type="ANY"/>
      <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
      <AttributeRule attributeID="schacHomeOrganization" permitAny="true" />
    </AttributeFilterPolicy>
 
    <!--  transient ID release is enabled by default  -->
    <!--
    <AttributeFilterPolicy id="releaseTransientIdToAnyone">
        <PolicyRequirementRule xsi:type="ANY" />
 
        <AttributeRule attributeID="transientId">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>
    </AttributeFilterPolicy>
    -->
 
</AttributeFilterPolicyGroup>
  • install/idp/idp/attribute-filter
  • Posledná úprava: 07. 02. 2023 09:37