Nasledujúca revízia
|
Predchádzajúca revízia
|
install:idp:idp:attribute-filter [07. 06. 2021 13:20] jnamesny@umb.sk vytvorené |
install:idp:idp:attribute-filter [07. 02. 2023 09:37] (aktuálne) mstanislav@umb.sk |
<PolicyRequirementRule xsi:type="OR"> | <PolicyRequirementRule xsi:type="OR"> |
<Rule xsi:type="Requester" value="https://demosp.sanet.sk/sp" /> | <Rule xsi:type="Requester" value="https://demosp.sanet.sk/sp" /> |
<Rule xsi:type="Requester" value="https://www.safeid.sk/shibboleth" /> | |
</PolicyRequirementRule> | </PolicyRequirementRule> |
| |
<AttributeRule attributeID="displayName" permitAny="true" /> | <AttributeRule attributeID="displayName" permitAny="true" /> |
<AttributeRule attributeID="cn" permitAny="true" /> | <AttributeRule attributeID="cn" permitAny="true" /> |
<AttributeRule attributeID="commonNameASCII" permitAny="true" /> | |
<AttributeRule attributeID="mail" permitAny="true" /> | <AttributeRule attributeID="mail" permitAny="true" /> |
| <AttributeRule attributeID="eduPersonAssurance" permitAny="true" /> |
<AttributeRule attributeID="eduPersonAffiliation" permitAny="true" /> | <AttributeRule attributeID="eduPersonAffiliation" permitAny="true" /> |
<AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" /> | <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" /> |
<AttributeRule attributeID="schacHomeOrganizationType" permitAny="true" /> | <AttributeRule attributeID="schacHomeOrganizationType" permitAny="true" /> |
<AttributeRule attributeID="schacPersonalUniqueCode" permitAny="true" /> | <AttributeRule attributeID="schacPersonalUniqueCode" permitAny="true" /> |
| </AttributeFilterPolicy> |
| |
| <!-- Rule to honour Subject ID requirement tag in metadata. --> |
| <!-- Used in combination with GEANT/REFEDS Code of Conduct v* --> |
| <!-- Code of Conduct can be combined with other entity categories --> |
| <AttributeFilterPolicy id="subject-identifiers"> |
| <PolicyRequirementRule xsi:type="OR"> |
| <Rule xsi:type="EntityAttributeExactMatch" |
| attributeName="http://macedir.org/entity-category" |
| attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1"/> |
| <Rule xsi:type="EntityAttributeExactMatch" |
| attributeName="http://macedir.org/entity-category" |
| attributeValue="https://refeds.org/category/code-of-conduct/v2"/> |
| </PolicyRequirementRule> |
| |
| <AttributeRule attributeID="samlPairwiseID"> |
| <PermitValueRule xsi:type="OR"> |
| <Rule xsi:type="EntityAttributeExactMatch" |
| attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req" |
| attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" |
| attributeValue="pairwise-id" /> |
| <Rule xsi:type="EntityAttributeExactMatch" |
| attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req" |
| attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" |
| attributeValue="any" /> |
| </PermitValueRule> |
| </AttributeRule> |
| <AttributeRule attributeID="samlSubjectID"> |
| <PermitValueRule xsi:type="EntityAttributeExactMatch" |
| attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req" |
| attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" |
| attributeValue="subject-id" /> |
| </AttributeRule> |
</AttributeFilterPolicy> | </AttributeFilterPolicy> |
| |
NameID is recommended, though. As is releasing givenName+sn | NameID is recommended, though. As is releasing givenName+sn |
in addition to displayName, to help with interoperability. --> | in addition to displayName, to help with interoperability. --> |
| <AttributeRule attributeID="eduPersonAssurance" permitAny="true" /> |
<AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" /> | <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" /> |
<AttributeRule attributeID="eduPersonTargetedID" permitAny="true" /> | <AttributeRule attributeID="eduPersonTargetedID" permitAny="true" /> |
<AttributeRule attributeID="displayName" permitAny="true" /> | <AttributeRule attributeID="displayName" permitAny="true" /> |
<AttributeRule attributeID="givenName" permitAny="true" /> | <AttributeRule attributeID="givenName" permitAny="true" /> |
<AttributeRule attributeID="surname" permitAny="true" /> | <AttributeRule attributeID="sn" permitAny="true" /> |
<!-- Affiliation is optional but release is "strongly recommended". --> | <!-- Affiliation is optional but release is "strongly recommended". --> |
<AttributeRule attributeID="eduPersonScopedAffiliation"> | <AttributeRule attributeID="eduPersonScopedAffiliation"> |
</AttributeFilterPolicy> | </AttributeFilterPolicy> |
| |
<!-- GEANT Data protection Code of Conduct --> | <!-- GEANT Data protection Code of Conduct or REFEDS Data Protection Code of Conduct Entity Category --> |
<!-- Release data to EU/EEA/Adequate CoCo-SPs, based on RequestedAttributes in SAML metadata --> | <!-- Release data to EU/EEA/Adequate CoCo-SPs, based on RequestedAttributes in SAML metadata --> |
<AttributeFilterPolicy id="GeantEEADataProtectionCodeOfConduct"> | <AttributeFilterPolicy id="GeantEEADataProtectionCodeOfConduct"> |
<PolicyRequirementRule xsi:type="EntityAttributeExactMatch" | <PolicyRequirementRule xsi:type="OR"> |
attributeName="http://macedir.org/entity-category" | <Rule xsi:type="EntityAttributeExactMatch" |
attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" /> | attributeName="http://macedir.org/entity-category" |
| attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" /> |
| <Rule xsi:type="EntityAttributeExactMatch" |
| attributeName="http://macedir.org/entity-category" |
| attributeValue="https://refeds.org/category/code-of-conduct/v2" /> |
| </PolicyRequirementRule> |
| |
<AttributeRule attributeID="displayName"> | <AttributeRule attributeID="displayName"> |
</AttributeRule> | </AttributeRule> |
<AttributeRule attributeID="mail"> | <AttributeRule attributeID="mail"> |
| <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> |
| </AttributeRule> |
| <AttributeRule attributeID="eduPersonAssurance"> |
| <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> |
| </AttributeRule> |
| <AttributeRule attributeID="eduPersonAffiliation"> |
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> | <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> |
</AttributeRule> | </AttributeRule> |
</PermitValueRule> | </PermitValueRule> |
</AttributeRule> | </AttributeRule> |
| <!-- ESI release tracks the members of ESI Entity Category instead of CoCo EC |
<AttributeRule attributeID="schacPersonalUniqueCode"> | <AttributeRule attributeID="schacPersonalUniqueCode"> |
<PermitValueRule xsi:type="AND"> | <PermitValueRule xsi:type="AND"> |
</PermitValueRule> | </PermitValueRule> |
</AttributeRule> | </AttributeRule> |
| --> |
<AttributeRule attributeID="schacHomeOrganization"> | <AttributeRule attributeID="schacHomeOrganization"> |
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false" /> | <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false" /> |
| </AttributeRule> |
| <AttributeRule attributeID="schacHomeOrganizationType"> |
| <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false" /> |
| </AttributeRule> |
| </AttributeFilterPolicy> |
| |
| <!-- ESI European Student Identifier --> |
| <AttributeFilterPolicy id="entity-category-european-student-identifier"> |
| <PolicyRequirementRule xsi:type="EntityAttributeExactMatch" |
| attributeName="http://macedir.org/entity-category" |
| attributeValue="https://myacademicid.org/entity-categories/esi" /> |
| <AttributeRule attributeID="schacPersonalUniqueCode"> |
| <PermitValueRule xsi:type="ValueRegex" regex="^urn:schac:personalUniqueCode:int:esi:.*" /> |
| </AttributeRule> |
| <AttributeRule attributeID="eduPersonEntitlement"> |
| <PermitValueRule xsi:type="AND"> |
| <Rule xsi:type="AttributeInMetadata" onlyIfRequired="false" /> |
| <Rule xsi:type="Value" value="urn:geant:erasmuswithoutpaper.eu:ewp:admin"/> |
| </PermitValueRule> |
</AttributeRule> | </AttributeRule> |
</AttributeFilterPolicy> | </AttributeFilterPolicy> |
<!-- Fallback attribute release to anyone --> | <!-- Fallback attribute release to anyone --> |
<!-- Adjust the list to match a local privacy policy --> | <!-- Adjust the list to match a local privacy policy --> |
<AttributeFilterPolicy id="releasePersistentIdToAnyone"> | <AttributeFilterPolicy id="DataToAnyServiceViaTrustedMetadata"> |
<PolicyRequirementRule xsi:type="ANY"/> | <PolicyRequirementRule xsi:type="ANY"/> |
<AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" /> | <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" /> |
<AttributeRule attributeID="eduPersonTargetedID" permitAny="true" /> | |
<AttributeRule attributeID="schacHomeOrganization" permitAny="true" /> | <AttributeRule attributeID="schacHomeOrganization" permitAny="true" /> |
</AttributeFilterPolicy> | </AttributeFilterPolicy> |
| |
<!-- Release the transient ID to anyone --> | <!-- transient ID release is enabled by default --> |
| <!-- |
<AttributeFilterPolicy id="releaseTransientIdToAnyone"> | <AttributeFilterPolicy id="releaseTransientIdToAnyone"> |
<PolicyRequirementRule xsi:type="ANY" /> | <PolicyRequirementRule xsi:type="ANY" /> |
</AttributeRule> | </AttributeRule> |
</AttributeFilterPolicy> | </AttributeFilterPolicy> |
| --> |
</AttributeFilterPolicyGroup> | </AttributeFilterPolicyGroup> |
</code> | </code> |