Obojstranná predošlá revízia
Predchádzajúca revízia
Nasledujúca revízia
|
Predchádzajúca revízia
|
install:idp:idp:attribute-filter [25. 11. 2022 11:01] mstanislav@umb.sk |
install:idp:idp:attribute-filter [07. 02. 2023 09:37] (aktuálne) mstanislav@umb.sk |
<PolicyRequirementRule xsi:type="OR"> | <PolicyRequirementRule xsi:type="OR"> |
<Rule xsi:type="Requester" value="https://demosp.sanet.sk/sp" /> | <Rule xsi:type="Requester" value="https://demosp.sanet.sk/sp" /> |
<Rule xsi:type="Requester" value="https://www.safeid.sk/shibboleth" /> | |
</PolicyRequirementRule> | </PolicyRequirementRule> |
| |
<AttributeRule attributeID="cn" permitAny="true" /> | <AttributeRule attributeID="cn" permitAny="true" /> |
<AttributeRule attributeID="mail" permitAny="true" /> | <AttributeRule attributeID="mail" permitAny="true" /> |
| <AttributeRule attributeID="eduPersonAssurance" permitAny="true" /> |
<AttributeRule attributeID="eduPersonAffiliation" permitAny="true" /> | <AttributeRule attributeID="eduPersonAffiliation" permitAny="true" /> |
<AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" /> | <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" /> |
<!-- Rule to honour Subject ID requirement tag in metadata. --> | <!-- Rule to honour Subject ID requirement tag in metadata. --> |
<!-- Used in combination with GEANT/REFEDS Code of Conduct v* --> | <!-- Used in combination with GEANT/REFEDS Code of Conduct v* --> |
| <!-- Code of Conduct can be combined with other entity categories --> |
<AttributeFilterPolicy id="subject-identifiers"> | <AttributeFilterPolicy id="subject-identifiers"> |
<PolicyRequirementRule xsi:type="OR"> | <PolicyRequirementRule xsi:type="OR"> |
<AttributeRule attributeID="samlPairwiseID"> | <AttributeRule attributeID="samlPairwiseID"> |
<PermitValueRule xsi:type="OR"> | <PermitValueRule xsi:type="OR"> |
<Rule xsi:type="EntityAttributeExactMatch" | <Rule xsi:type="EntityAttributeExactMatch" |
attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req" | attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req" |
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" | attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" |
attributeValue="pairwise-id" /> | attributeValue="pairwise-id" /> |
<Rule xsi:type="EntityAttributeExactMatch" | <Rule xsi:type="EntityAttributeExactMatch" |
attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req" | attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req" |
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" | attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" |
attributeValue="any" /> | attributeValue="any" /> |
</PermitValueRule> | </PermitValueRule> |
</AttributeRule> | </AttributeRule> |
NameID is recommended, though. As is releasing givenName+sn | NameID is recommended, though. As is releasing givenName+sn |
in addition to displayName, to help with interoperability. --> | in addition to displayName, to help with interoperability. --> |
| <AttributeRule attributeID="eduPersonAssurance" permitAny="true" /> |
<AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" /> | <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" /> |
<AttributeRule attributeID="eduPersonTargetedID" permitAny="true" /> | <AttributeRule attributeID="eduPersonTargetedID" permitAny="true" /> |
</AttributeFilterPolicy> | </AttributeFilterPolicy> |
| |
<!-- GEANT & REFEDS Data protection Code of Conduct --> | <!-- GEANT Data protection Code of Conduct or REFEDS Data Protection Code of Conduct Entity Category --> |
<!-- Release data to EU/EEA/Adequate CoCo-SPs, based on RequestedAttributes in SAML metadata --> | <!-- Release data to EU/EEA/Adequate CoCo-SPs, based on RequestedAttributes in SAML metadata --> |
<AttributeFilterPolicy id="GeantEEADataProtectionCodeOfConduct"> | <AttributeFilterPolicy id="GeantEEADataProtectionCodeOfConduct"> |
</AttributeRule> | </AttributeRule> |
<AttributeRule attributeID="mail"> | <AttributeRule attributeID="mail"> |
| <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> |
| </AttributeRule> |
| <AttributeRule attributeID="eduPersonAssurance"> |
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> | <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> |
</AttributeRule> | </AttributeRule> |
<!-- Fallback attribute release to anyone --> | <!-- Fallback attribute release to anyone --> |
<!-- Adjust the list to match a local privacy policy --> | <!-- Adjust the list to match a local privacy policy --> |
<AttributeFilterPolicy id="releasePersistentIdToAnyone"> | <AttributeFilterPolicy id="DataToAnyServiceViaTrustedMetadata"> |
<PolicyRequirementRule xsi:type="ANY"/> | <PolicyRequirementRule xsi:type="ANY"/> |
<AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" /> | <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" /> |
<AttributeRule attributeID="eduPersonTargetedID" permitAny="true" /> | |
<AttributeRule attributeID="schacHomeOrganization" permitAny="true" /> | <AttributeRule attributeID="schacHomeOrganization" permitAny="true" /> |
</AttributeFilterPolicy> | </AttributeFilterPolicy> |
| |
<!-- Release the transient ID to anyone --> | <!-- transient ID release is enabled by default --> |
| <!-- |
<AttributeFilterPolicy id="releaseTransientIdToAnyone"> | <AttributeFilterPolicy id="releaseTransientIdToAnyone"> |
<PolicyRequirementRule xsi:type="ANY" /> | <PolicyRequirementRule xsi:type="ANY" /> |
</AttributeRule> | </AttributeRule> |
</AttributeFilterPolicy> | </AttributeFilterPolicy> |
| --> |
</AttributeFilterPolicyGroup> | </AttributeFilterPolicyGroup> |
</code> | </code> |