| Obojstranná predošlá revízia
Predchádzajúca revízia
Nasledujúca revízia
|
Predchádzajúca revízia
|
install:idp:idp:attribute-filter [25. 11. 2022 11:01]
mstanislav@umb.sk |
install:idp:idp:attribute-filter [07. 02. 2023 09:37] (aktuálne)
mstanislav@umb.sk |
| <PolicyRequirementRule xsi:type="OR"> | <PolicyRequirementRule xsi:type="OR"> |
| <Rule xsi:type="Requester" value="https://demosp.sanet.sk/sp" /> | <Rule xsi:type="Requester" value="https://demosp.sanet.sk/sp" /> |
| <Rule xsi:type="Requester" value="https://www.safeid.sk/shibboleth" /> | |
| </PolicyRequirementRule> | </PolicyRequirementRule> |
| |
| <AttributeRule attributeID="cn" permitAny="true" /> | <AttributeRule attributeID="cn" permitAny="true" /> |
| <AttributeRule attributeID="mail" permitAny="true" /> | <AttributeRule attributeID="mail" permitAny="true" /> |
| | <AttributeRule attributeID="eduPersonAssurance" permitAny="true" /> |
| <AttributeRule attributeID="eduPersonAffiliation" permitAny="true" /> | <AttributeRule attributeID="eduPersonAffiliation" permitAny="true" /> |
| <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" /> | <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" /> |
| <!-- Rule to honour Subject ID requirement tag in metadata. --> | <!-- Rule to honour Subject ID requirement tag in metadata. --> |
| <!-- Used in combination with GEANT/REFEDS Code of Conduct v* --> | <!-- Used in combination with GEANT/REFEDS Code of Conduct v* --> |
| | <!-- Code of Conduct can be combined with other entity categories --> |
| <AttributeFilterPolicy id="subject-identifiers"> | <AttributeFilterPolicy id="subject-identifiers"> |
| <PolicyRequirementRule xsi:type="OR"> | <PolicyRequirementRule xsi:type="OR"> |
| <AttributeRule attributeID="samlPairwiseID"> | <AttributeRule attributeID="samlPairwiseID"> |
| <PermitValueRule xsi:type="OR"> | <PermitValueRule xsi:type="OR"> |
| <Rule xsi:type="EntityAttributeExactMatch" | <Rule xsi:type="EntityAttributeExactMatch" |
| attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req" | attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req" |
| attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" | attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" |
| attributeValue="pairwise-id" /> | attributeValue="pairwise-id" /> |
| <Rule xsi:type="EntityAttributeExactMatch" | <Rule xsi:type="EntityAttributeExactMatch" |
| attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req" | attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req" |
| attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" | attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" |
| attributeValue="any" /> | attributeValue="any" /> |
| </PermitValueRule> | </PermitValueRule> |
| </AttributeRule> | </AttributeRule> |
| NameID is recommended, though. As is releasing givenName+sn | NameID is recommended, though. As is releasing givenName+sn |
| in addition to displayName, to help with interoperability. --> | in addition to displayName, to help with interoperability. --> |
| | <AttributeRule attributeID="eduPersonAssurance" permitAny="true" /> |
| <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" /> | <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" /> |
| <AttributeRule attributeID="eduPersonTargetedID" permitAny="true" /> | <AttributeRule attributeID="eduPersonTargetedID" permitAny="true" /> |
| </AttributeFilterPolicy> | </AttributeFilterPolicy> |
| |
| <!-- GEANT & REFEDS Data protection Code of Conduct --> | <!-- GEANT Data protection Code of Conduct or REFEDS Data Protection Code of Conduct Entity Category --> |
| <!-- Release data to EU/EEA/Adequate CoCo-SPs, based on RequestedAttributes in SAML metadata --> | <!-- Release data to EU/EEA/Adequate CoCo-SPs, based on RequestedAttributes in SAML metadata --> |
| <AttributeFilterPolicy id="GeantEEADataProtectionCodeOfConduct"> | <AttributeFilterPolicy id="GeantEEADataProtectionCodeOfConduct"> |
| </AttributeRule> | </AttributeRule> |
| <AttributeRule attributeID="mail"> | <AttributeRule attributeID="mail"> |
| | <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> |
| | </AttributeRule> |
| | <AttributeRule attributeID="eduPersonAssurance"> |
| <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> | <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> |
| </AttributeRule> | </AttributeRule> |
| <!-- Fallback attribute release to anyone --> | <!-- Fallback attribute release to anyone --> |
| <!-- Adjust the list to match a local privacy policy --> | <!-- Adjust the list to match a local privacy policy --> |
| <AttributeFilterPolicy id="releasePersistentIdToAnyone"> | <AttributeFilterPolicy id="DataToAnyServiceViaTrustedMetadata"> |
| <PolicyRequirementRule xsi:type="ANY"/> | <PolicyRequirementRule xsi:type="ANY"/> |
| <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" /> | <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" /> |
| <AttributeRule attributeID="eduPersonTargetedID" permitAny="true" /> | |
| <AttributeRule attributeID="schacHomeOrganization" permitAny="true" /> | <AttributeRule attributeID="schacHomeOrganization" permitAny="true" /> |
| </AttributeFilterPolicy> | </AttributeFilterPolicy> |
| |
| <!-- Release the transient ID to anyone --> | <!-- transient ID release is enabled by default --> |
| | <!-- |
| <AttributeFilterPolicy id="releaseTransientIdToAnyone"> | <AttributeFilterPolicy id="releaseTransientIdToAnyone"> |
| <PolicyRequirementRule xsi:type="ANY" /> | <PolicyRequirementRule xsi:type="ANY" /> |
| </AttributeRule> | </AttributeRule> |
| </AttributeFilterPolicy> | </AttributeFilterPolicy> |
| | --> |
| </AttributeFilterPolicyGroup> | </AttributeFilterPolicyGroup> |
| </code> | </code> |