Rozdiely

Tu môžete vidieť rozdiely medzi vybranou verziou a aktuálnou verziou danej stránky.

--- install:idp:idp:attribute-filter [25. 11. 2022 10:46]
mstanislav@umb.sk
+++ install:idp:idp:attribute-filter [07. 02. 2023 09:37] (aktuálne)
mstanislav@umb.sk
@@ Riadok 11: / Riadok 11: @@
       <PolicyRequirementRule xsi:type="OR">
         <Rule xsi:type="Requester" value="https://demosp.sanet.sk/sp" />
-        <Rule xsi:type="Requester" value="https://www.safeid.sk/shibboleth" />
       </PolicyRequirementRule>
@@ Riadok 19: / Riadok 18: @@
       <AttributeRule attributeID="cn" permitAny="true" />
       <AttributeRule attributeID="mail" permitAny="true" />
+      <AttributeRule attributeID="eduPersonAssurance" permitAny="true" />
       <AttributeRule attributeID="eduPersonAffiliation" permitAny="true" />
       <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" />
@@ Riadok 29: / Riadok 29: @@
       <AttributeRule attributeID="schacHomeOrganizationType" permitAny="true" />
       <AttributeRule attributeID="schacPersonalUniqueCode" permitAny="true" />
+    </AttributeFilterPolicy>
+    <!-- Rule to honour Subject ID requirement tag in metadata. -->
+    <!-- Used in combination with GEANT/REFEDS Code of Conduct v* -->
+    <!-- Code of Conduct can be combined with other entity categories -->
+    <AttributeFilterPolicy id="subject-identifiers">
+      <PolicyRequirementRule xsi:type="OR">
+        <Rule xsi:type="EntityAttributeExactMatch"
+            attributeName="http://macedir.org/entity-category"
+            attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1"/>
+        <Rule xsi:type="EntityAttributeExactMatch"
+            attributeName="http://macedir.org/entity-category"
+            attributeValue="https://refeds.org/category/code-of-conduct/v2"/>
+      </PolicyRequirementRule>
+      <AttributeRule attributeID="samlPairwiseID">
+        <PermitValueRule xsi:type="OR">
+          <Rule xsi:type="EntityAttributeExactMatch"
+              attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
+              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+              attributeValue="pairwise-id" />
+          <Rule xsi:type="EntityAttributeExactMatch"
+              attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
+              attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+              attributeValue="any" />
+        </PermitValueRule>
+      </AttributeRule>
+      <AttributeRule attributeID="samlSubjectID">
+        <PermitValueRule xsi:type="EntityAttributeExactMatch"
+            attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
+            attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+            attributeValue="subject-id" />
+      </AttributeRule>
     </AttributeFilterPolicy>
@@ Riadok 43: / Riadok 76: @@
         NameID is recommended, though. As is releasing givenName+sn
         in addition to displayName, to help with interoperability. -->
+      <AttributeRule attributeID="eduPersonAssurance" permitAny="true" />
       <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" />
       <AttributeRule attributeID="eduPersonTargetedID" permitAny="true" />
@@ Riadok 64: / Riadok 98: @@
     </AttributeFilterPolicy>
-    <!-- GEANT & REFEDS Data protection Code of Conduct -->
+    <!-- GEANT Data protection Code of Conduct or REFEDS Data Protection Code of Conduct Entity Category -->
     <!-- Release data to EU/EEA/Adequate CoCo-SPs, based on RequestedAttributes in SAML metadata -->
     <AttributeFilterPolicy id="GeantEEADataProtectionCodeOfConduct">
@@ Riadok 89: / Riadok 123: @@
         </AttributeRule>
         <AttributeRule attributeID="mail">
+            <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+        </AttributeRule>
+        <AttributeRule attributeID="eduPersonAssurance">
             <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
         </AttributeRule>
@@ Riadok 166: / Riadok 203: @@
     <!-- Fallback attribute release to anyone -->
     <!-- Adjust the list to match a local privacy policy -->
-    <AttributeFilterPolicy id="releasePersistentIdToAnyone">
+    <AttributeFilterPolicy id="DataToAnyServiceViaTrustedMetadata">
       <PolicyRequirementRule xsi:type="ANY"/>
       <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
-      <AttributeRule attributeID="eduPersonTargetedID" permitAny="true" />
       <AttributeRule attributeID="schacHomeOrganization" permitAny="true" />
     </AttributeFilterPolicy>
-    <!--  Release the transient ID to anyone -->
+    <!--  transient ID release is enabled by default  -->
+    <!--
     <AttributeFilterPolicy id="releaseTransientIdToAnyone">
         <PolicyRequirementRule xsi:type="ANY" />
@@ Riadok 181: / Riadok 218: @@
         </AttributeRule>
     </AttributeFilterPolicy>
+    -->
 </AttributeFilterPolicyGroup>
 </code>