Rozdiely

Tu môžete vidieť rozdiely medzi vybranou verziou a aktuálnou verziou danej stránky.

--- install:idp:idp:attribute-filter [13. 08. 2021 09:14] – mstanislav@umb.sk
+++ install:idp:idp:attribute-filter [08. 12. 2025 09:02] (aktuálne) – mstanislav@umb.sk
@@ Riadok 11: / Riadok 11: @@
       <PolicyRequirementRule xsi:type="OR">
         <Rule xsi:type="Requester" value="https://demosp.sanet.sk/sp" />
-        <Rule xsi:type="Requester" value="https://www.safeid.sk/shibboleth" />
       </PolicyRequirementRule>
@@ Riadok 19: / Riadok 18: @@
       <AttributeRule attributeID="cn" permitAny="true" />
       <AttributeRule attributeID="mail" permitAny="true" />
+      <AttributeRule attributeID="eduPersonAssurance" permitAny="true" />
       <AttributeRule attributeID="eduPersonAffiliation" permitAny="true" />
       <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" />
@@ Riadok 29: / Riadok 29: @@
       <AttributeRule attributeID="schacHomeOrganizationType" permitAny="true" />
       <AttributeRule attributeID="schacPersonalUniqueCode" permitAny="true" />
+    </AttributeFilterPolicy>
+    <!-- Rule to honour Subject ID requirement tag in metadata. -->
+    <!-- Used in combination with GEANT/REFEDS Code of Conduct v* -->
+    <!-- Code of Conduct can be combined with other entity categories -->
+    <AttributeFilterPolicy id="subject-identifiers">
+      <PolicyRequirementRule xsi:type="OR">
+        <Rule xsi:type="EntityAttributeExactMatch"
+            attributeName="http://macedir.org/entity-category"
+            attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1"/>
+        <Rule xsi:type="EntityAttributeExactMatch"
+            attributeName="http://macedir.org/entity-category"
+            attributeValue="https://refeds.org/category/code-of-conduct/v2"/>
+      </PolicyRequirementRule>
+      <AttributeRule attributeID="samlPairwiseID">
+        <PermitValueRule xsi:type="OR">
+          <Rule xsi:type="EntityAttributeExactMatch"
+              attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
+              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+              attributeValue="pairwise-id" />
+          <Rule xsi:type="EntityAttributeExactMatch"
+              attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
+              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+              attributeValue="any" />
+        </PermitValueRule>
+      </AttributeRule>
+      <AttributeRule attributeID="samlSubjectID">
+        <PermitValueRule xsi:type="EntityAttributeExactMatch"
+            attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
+            attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+            attributeValue="subject-id" />
+      </AttributeRule>
     </AttributeFilterPolicy>
@@ Riadok 43: / Riadok 76: @@
         NameID is recommended, though. As is releasing givenName+sn
         in addition to displayName, to help with interoperability. -->
+      <AttributeRule attributeID="eduPersonAssurance" permitAny="true" />
       <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" />
       <AttributeRule attributeID="eduPersonTargetedID" permitAny="true" />
@@ Riadok 64: / Riadok 98: @@
     </AttributeFilterPolicy>
-    <!-- GEANT Data protection Code of Conduct -->
+    <!-- GEANT Data protection Code of Conduct or REFEDS Data Protection Code of Conduct Entity Category -->
     <!-- Release data to EU/EEA/Adequate CoCo-SPs, based on RequestedAttributes in SAML metadata -->
     <AttributeFilterPolicy id="GeantEEADataProtectionCodeOfConduct">
-        <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+        <PolicyRequirementRule xsi:type="OR">
-            attributeName="http://macedir.org/entity-category"
+            <Rule xsi:type="EntityAttributeExactMatch"
-            attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" />
+                attributeName="http://macedir.org/entity-category"
+                attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" />
+            <Rule xsi:type="EntityAttributeExactMatch"
+                attributeName="http://macedir.org/entity-category"
+                attributeValue="https://refeds.org/category/code-of-conduct/v2" />
+        </PolicyRequirementRule>
         <AttributeRule attributeID="displayName">
@@ Riadok 84: / Riadok 123: @@
         </AttributeRule>
         <AttributeRule attributeID="mail">
+            <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+        </AttributeRule>
+        <AttributeRule attributeID="eduPersonAssurance">
             <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
         </AttributeRule>
@@ Riadok 112: / Riadok 154: @@
             </PermitValueRule>
         </AttributeRule>
+        <!-- ESI release tracks the members of ESI Entity Category instead of CoCo EC
         <AttributeRule attributeID="schacPersonalUniqueCode">
             <PermitValueRule xsi:type="AND">
@@ Riadok 118: / Riadok 161: @@
             </PermitValueRule>
         </AttributeRule>
+        -->
         <AttributeRule attributeID="schacHomeOrganization">
             <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false" />
@@ Riadok 123: / Riadok 167: @@
         <AttributeRule attributeID="schacHomeOrganizationType">
             <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false" />
+        </AttributeRule>
+    </AttributeFilterPolicy>
+    <!-- ESI European Student Identifier -->
+    <AttributeFilterPolicy id="entity-category-european-student-identifier">
+        <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+            attributeName="http://macedir.org/entity-category"
+            attributeValue="https://myacademicid.org/entity-categories/esi" />
+        <AttributeRule attributeID="schacPersonalUniqueCode">
+            <PermitValueRule xsi:type="ValueRegex" regex="^urn:schac:personalUniqueCode:int:esi:.*" />
+        </AttributeRule>
+        <AttributeRule attributeID="eduPersonEntitlement">
+            <PermitValueRule xsi:type="AND">
+                <Rule xsi:type="AttributeInMetadata" onlyIfRequired="false" />
+                <Rule xsi:type="Value" value="urn:geant:erasmuswithoutpaper.eu:ewp:admin"/>
+            </PermitValueRule>
         </AttributeRule>
     </AttributeFilterPolicy>
@@ Riadok 141: / Riadok 201: @@
     </AttributeFilterPolicy>
-    <!-- Fallback attribute release to anyone -->
+    <!-- Release to anyone requesting ePSA, sHO -->
     <!-- Adjust the list to match a local privacy policy -->
-    <AttributeFilterPolicy id="releasePersistentIdToAnyone">
+    <AttributeFilterPolicy id="releaseToAnyoneRequesting">
-      <PolicyRequirementRule xsi:type="ANY"/>
+      <PolicyRequirementRule xsi:type="ANY" />
-      <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
-      <AttributeRule attributeID="eduPersonTargetedID" permitAny="true" />
+      <AttributeRule attributeID="eduPersonScopedAffiliation">
-      <AttributeRule attributeID="schacHomeOrganization" permitAny="true" />
+          <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+      </AttributeRule>
+      <AttributeRule attributeID="schacHomeOrganization">
+          <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+      </AttributeRule>
     </AttributeFilterPolicy>
-    <!--  Release the transient ID to anyone -->
+    <!--  transient ID release is enabled by default  -->
+    <!--
     <AttributeFilterPolicy id="releaseTransientIdToAnyone">
         <PolicyRequirementRule xsi:type="ANY" />
@@ Riadok 158: / Riadok 223: @@
         </AttributeRule>
     </AttributeFilterPolicy>
+    -->
 </AttributeFilterPolicyGroup>
 </code>