This is an example of a standard entity category based attribute filter for SWAMID 2.0 in a Shibboleth IdP.
Prerequisites:
- The Identity Provider home organisation is willing to release attributes based on SWAMID entity categorisation of services.
- The attribute resolver in Shibolleth is configured to prepare the following attributes:
- transientId
- eduPersonTargetedID
- eduPersonPrincipalName
- norEduPersonNIN
- displayName
- givenName
- surname
- eduPersonScopedAffiliation
- organizationName
- norEduOrgAcronym
- countryName
- friendlyCountryName
- schacHomeOrganization
attribute-filter.xml
<?xml version="1.0" encoding="UTF-8"?>
<afp:AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
xmlns:afp="urn:mace:shibboleth:2.0:afp"
xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:afp classpath:/schema/shibboleth-2.0-afp.xsd
urn:mace:shibboleth:2.0:afp:mf:basic classpath:/schema/shibboleth-2.0-afp-mf-basic.xsd
urn:mace:shibboleth:2.0:afp:mf:saml classpath:/schema/shibboleth-2.0-afp-mf-saml.xsd">
<!-- General release to all Service Providers -->
<!-- Release the transient ID to anyone -->
<afp:AttributeFilterPolicy id="releaseTransientIdToAnyone">
<afp:PolicyRequirementRule xsi:type="basic:ANY" />
<afp:AttributeRule attributeID="transientId">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
<!-- Release the pseudonym user identity to anyone -->
<afp:AttributeFilterPolicy id="releasePermanentIdToAnyone">
<afp:PolicyRequirementRule xsi:type="basic:ANY" />
<afp:AttributeRule attributeID="persistentId">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="eduPersonTargetedID">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
<!-- Entity category based release to Service Providers -->
<!-- GEANT Dataprotection Code of Conduct -->
<afp:AttributeFilterPolicy id="releaseToCoC">
<afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1"/>
<afp:AttributeRule attributeID="displayName">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="email">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="eduPersonPrincipalName">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
<afp:AttributeRule attributeID="eduPersonScopedAffiliation">
<afp:PermitValueRule xsi:type="basic:OR">
<basic:Rule xsi:type="basic:AttributeValueString" value="faculty" ignoreCase="true" />
<basic:Rule xsi:type="basic:AttributeValueString" value="student" ignoreCase="true" />
<basic:Rule xsi:type="basic:AttributeValueString" value="staff" ignoreCase="true" />
<basic:Rule xsi:type="basic:AttributeValueString" value="alum" ignoreCase="true" />
<basic:Rule xsi:type="basic:AttributeValueString" value="member" ignoreCase="true" />
<basic:Rule xsi:type="basic:AttributeValueString" value="affiliate" ignoreCase="true" />
<basic:Rule xsi:type="basic:AttributeValueString" value="employee" ignoreCase="true" />
<basic:Rule xsi:type="basic:AttributeValueString" value="library-walk-in" ignoreCase="true" />
</afp:PermitValueRule>
</afp:AttributeRule>
<afp:AttributeRule attributeID="schacHomeOrganization">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
<!-- SWAMID Entity Category Research and Education -->
<afp:AttributeFilterPolicy id="entity-category-research-and-education">
<afp:PolicyRequirementRule xsi:type="basic:AND">
<basic:Rule xsi:type="basic:OR">
<basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://www.swamid.se/category/eu-adequate-protection"/>
<basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://www.swamid.se/category/nren-service"/>
<basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://www.swamid.se/category/hei-service"/>
</basic:Rule>
<basic:Rule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://www.swamid.se/category/research-and-education"/>
</afp:PolicyRequirementRule>
<afp:AttributeRule attributeID="givenName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="surname">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="displayName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="eduPersonPrincipalName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="email">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<!-- Replace email release if you have multiple mail addresses to add in the TCS Personal Certificates, see example below.
<afp:AttributeRule attributeID="email">
<afp:PermitValueRule xsi:type="basic:NOT">
<basic:Rule xsi:type="basic:OR">
<basic:Rule xsi:type="basic:AttributeRequesterString"
value="https://tcs-personal.sunet.se/simplesamlphp/module.php/saml/sp/metadata.php/default-sp" />
<basic:Rule xsi:type="basic:AttributeRequesterString"
value="https://tcs-personal-portal.terena.org/simplesamlphp/module.php/saml/sp/metadata.php/default-sp" />
</basic:Rule>
</afp:PermitValueRule>
</afp:AttributeRule> -->
<afp:AttributeRule attributeID="eduPersonScopedAffiliation">
<afp:PermitValueRule xsi:type="basic:OR">
<basic:Rule xsi:type="basic:AttributeValueString" value="faculty" ignoreCase="true" />
<basic:Rule xsi:type="basic:AttributeValueString" value="student" ignoreCase="true" />
<basic:Rule xsi:type="basic:AttributeValueString" value="staff" ignoreCase="true" />
<basic:Rule xsi:type="basic:AttributeValueString" value="alum" ignoreCase="true" />
<basic:Rule xsi:type="basic:AttributeValueString" value="member" ignoreCase="true" />
<basic:Rule xsi:type="basic:AttributeValueString" value="affiliate" ignoreCase="true" />
<basic:Rule xsi:type="basic:AttributeValueString" value="employee" ignoreCase="true" />
<basic:Rule xsi:type="basic:AttributeValueString" value="library-walk-in" ignoreCase="true" />
</afp:PermitValueRule>
</afp:AttributeRule>
<afp:AttributeRule attributeID="organizationName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="norEduOrgAcronym">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="countryName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="friendlyCountryName">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="schacHomeOrganization">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
<!-- SWAMID Entity Category SFS 1993:1153 -->
<afp:AttributeFilterPolicy id="entity-category-sfs-1993-1153">
<afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://www.swamid.se/category/sfs-1993-1153"/>
<afp:AttributeRule attributeID="norEduPersonNIN">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
<!-- Examples of entityId based release to Service Providers -->
<!-- NyA-webben UHR
<afp:AttributeFilterPolicy id="releaseNyAwebbenEntitlement">
<afp:PolicyRequirementRule xsi:type="basic:OR">
<basic:Rule xsi:type="basic:AttributeRequesterString" value="https://expert.antagning.se/ecs-sp" />
<basic:Rule xsi:type="basic:AttributeRequesterString" value="https://expert.testa.antagning.se/ecs-sp" />
<basic:Rule xsi:type="basic:AttributeRequesterString" value="https://expert.testb.antagning.se/ecs-sp" />
</afp:PolicyRequirementRule>
<afp:AttributeRule attributeID="NyAwebbenEntitlement">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
-->
<!-- TCS Personal
<afp:AttributeFilterPolicy id="releaseTcsPersonalEntitlement">
<afp:PolicyRequirementRule xsi:type="basic:OR">
<basic:Rule xsi:type="basic:AttributeRequesterString"
value="https://tcs-personal.sunet.se/simplesamlphp/module.php/saml/sp/metadata.php/default-sp" />
<basic:Rule xsi:type="basic:AttributeRequesterString"
value="https://tcs-personal-portal.terena.org/simplesamlphp/module.php/saml/sp/metadata.php/default-sp" />
</afp:PolicyRequirementRule>
<afp:AttributeRule attributeID="tcsPersonalEntitlement">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
<afp:AttributeRule attributeID="tcsPersonalMail">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
-->
<!-- TCS Personal eScience
<afp:AttributeFilterPolicy id="releaseTcsPersonaleSienceEntitlement">
<afp:PolicyRequirementRule xsi:type="basic:OR">
<basic:Rule xsi:type="basic:AttributeRequesterString"
value="https://tcs-escience.sunet.se/simplesamlphp/module.php/saml/sp/metadata.php/default-sp" />
<basic:Rule xsi:type="basic:AttributeRequesterString"
value="https://tcs-escience-portal.terena.org/simplesamlphp/module.php/saml/sp/metadata.php/default-sp" />
</afp:PolicyRequirementRule>
<afp:AttributeRule attributeID="tcsPersonaleScienceEntitlement">
<afp:PermitValueRule xsi:type="basic:ANY" />
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
-->
</afp:AttributeFilterPolicyGroup>