This is an example of a standard entity category based attribute filter for SWAMID 2.0 in a Shibboleth IdP.
Prerequisites:
- The Identity Provider home organisation is willing to release attributes based on SWAMID entity categorisation of services.
- The attribute resolver in Shibolleth is configured to prepare the following attributes:
- transientId
- eduPersonTargetedID
- eduPersonPrincipalName
- norEduPersonNIN
- displayName
- givenName
- surname
- eduPersonScopedAffiliation
- organizationName
- norEduOrgAcronym
- countryName
- friendlyCountryName
- schacHomeOrganization
attribute-filter.xml
<?xml version="1.0" encoding="UTF-8"?> <afp:AttributeFilterPolicyGroup id="ShibbolethFilterPolicy" xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic" xmlns:afp="urn:mace:shibboleth:2.0:afp" xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:2.0:afp classpath:/schema/shibboleth-2.0-afp.xsd urn:mace:shibboleth:2.0:afp:mf:basic classpath:/schema/shibboleth-2.0-afp-mf-basic.xsd urn:mace:shibboleth:2.0:afp:mf:saml classpath:/schema/shibboleth-2.0-afp-mf-saml.xsd"> <!-- General release to all Service Providers --> <!-- Release the transient ID to anyone --> <afp:AttributeFilterPolicy id="releaseTransientIdToAnyone"> <afp:PolicyRequirementRule xsi:type="basic:ANY" /> <afp:AttributeRule attributeID="transientId"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> </afp:AttributeFilterPolicy> <!-- Release the pseudonym user identity to anyone --> <afp:AttributeFilterPolicy id="releasePermanentIdToAnyone"> <afp:PolicyRequirementRule xsi:type="basic:ANY" /> <afp:AttributeRule attributeID="persistentId"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> <afp:AttributeRule attributeID="eduPersonTargetedID"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> </afp:AttributeFilterPolicy> <!-- Entity category based release to Service Providers --> <!-- GEANT Dataprotection Code of Conduct --> <afp:AttributeFilterPolicy id="releaseToCoC"> <afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1"/> <afp:AttributeRule attributeID="displayName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="cn"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="email"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="eduPersonScopedAffiliation"> <afp:PermitValueRule xsi:type="basic:OR"> <basic:Rule xsi:type="basic:AttributeValueString" value="faculty" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="student" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="staff" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="alum" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="member" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="affiliate" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="employee" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="library-walk-in" ignoreCase="true" /> </afp:PermitValueRule> </afp:AttributeRule> <afp:AttributeRule attributeID="eduPersonAffiliation"> <afp:PermitValueRule xsi:type="basic:OR"> <basic:Rule xsi:type="basic:AttributeValueString" value="faculty" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="student" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="staff" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="alum" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="member" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="affiliate" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="employee" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="library-walk-in" ignoreCase="true" /> </afp:PermitValueRule> </afp:AttributeRule> <afp:AttributeRule attributeID="schacHomeOrganization"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="schacHomeOrganizationType"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> </afp:AttributeFilterPolicy> <!-- REFEDS Research and Schoolarship --> <afp:AttributeFilterPolicy id="releaseToRandS"> <afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship"/> <afp:AttributeRule attributeID="displayName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="givenName"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> <afp:AttributeRule attributeID="surname"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> <afp:AttributeRule attributeID="email"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="eduPersonScopedAffiliation"> <afp:PermitValueRule xsi:type="basic:OR"> <basic:Rule xsi:type="basic:AttributeValueString" value="faculty" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="student" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="staff" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="alum" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="member" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="affiliate" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="employee" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="library-walk-in" ignoreCase="true" /> </afp:PermitValueRule> </afp:AttributeRule> </afp:AttributeFilterPolicy> <!-- SWAMID Entity Category Research and Education --> <afp:AttributeFilterPolicy id="entity-category-research-and-education"> <afp:PolicyRequirementRule xsi:type="basic:AND"> <basic:Rule xsi:type="basic:OR"> <basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://www.swamid.se/category/eu-adequate-protection"/> <basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://www.swamid.se/category/nren-service"/> <basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://www.swamid.se/category/hei-service"/> </basic:Rule> <basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://www.swamid.se/category/research-and-education"/> </afp:PolicyRequirementRule> <afp:AttributeRule attributeID="givenName"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> <afp:AttributeRule attributeID="surname"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> <afp:AttributeRule attributeID="displayName"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> <afp:AttributeRule attributeID="email"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> <afp:AttributeRule attributeID="eduPersonScopedAffiliation"> <afp:PermitValueRule xsi:type="basic:OR"> <basic:Rule xsi:type="basic:AttributeValueString" value="faculty" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="student" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="staff" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="alum" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="member" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="affiliate" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="employee" ignoreCase="true" /> <basic:Rule xsi:type="basic:AttributeValueString" value="library-walk-in" ignoreCase="true" /> </afp:PermitValueRule> </afp:AttributeRule> <afp:AttributeRule attributeID="organizationName"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> <afp:AttributeRule attributeID="norEduOrgAcronym"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> <afp:AttributeRule attributeID="countryName"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> <afp:AttributeRule attributeID="friendlyCountryName"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> <afp:AttributeRule attributeID="schacHomeOrganization"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> </afp:AttributeFilterPolicy> <!-- SWAMID Entity Category SFS 1993:1153 --> <afp:AttributeFilterPolicy id="entity-category-sfs-1993-1153"> <afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://www.swamid.se/category/sfs-1993-1153"/> <afp:AttributeRule attributeID="norEduPersonNIN"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> </afp:AttributeFilterPolicy> <!-- Examples of entityId based release to Service Providers --> <!-- NyA-webben UHR <afp:AttributeFilterPolicy id="releaseNyAwebbenEntitlement"> <afp:PolicyRequirementRule xsi:type="basic:OR"> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://expert.antagning.se/ecs-sp" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://expert.testa.antagning.se/ecs-sp" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://expert.testb.antagning.se/ecs-sp" /> </afp:PolicyRequirementRule> <afp:AttributeRule attributeID="NyAwebbenEntitlement"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> </afp:AttributeFilterPolicy> --> <!-- TCS Personal <afp:AttributeFilterPolicy id="releaseTcsPersonalEntitlement"> <afp:PolicyRequirementRule xsi:type="basic:OR"> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://tcs-personal.sunet.se/simplesamlphp/module.php/saml/sp/metadata.php/default-sp" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://tcs-personal-portal.terena.org/simplesamlphp/module.php/saml/sp/metadata.php/default-sp" /> </afp:PolicyRequirementRule> <afp:AttributeRule attributeID="tcsPersonalEntitlement"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> <afp:AttributeRule attributeID="email"> <afp:DenyValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> <afp:AttributeRule attributeID="tcsPersonalMail"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> </afp:AttributeFilterPolicy> --> <!-- TCS Personal eScience <afp:AttributeFilterPolicy id="releaseTcsPersonaleSienceEntitlement"> <afp:PolicyRequirementRule xsi:type="basic:OR"> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://tcs-escience.sunet.se/simplesamlphp/module.php/saml/sp/metadata.php/default-sp" /> <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://tcs-escience-portal.terena.org/simplesamlphp/module.php/saml/sp/metadata.php/default-sp" /> </afp:PolicyRequirementRule> <afp:AttributeRule attributeID="tcsPersonaleScienceEntitlement"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> </afp:AttributeFilterPolicy> --> </afp:AttributeFilterPolicyGroup>