-
Notifications
You must be signed in to change notification settings - Fork 7
AttributeFilterConfiguration
jalauros edited this page Mar 2, 2018
·
29 revisions
For basic attribute filtering you should refer to Shibboleth IdP 3 AttributeFilterConfiguration. Here we document the additional components provided by shibboleth oidc extension.
OIDC extension RuleTypes for AttributeFilterPolicyConfiguration
- oidcext:OIDCScope, PolicyRule for comparing the scope values of the authentication request to a string.
- oidcext:AttributeInOIDCRequestedClaims, Matcher for comparing the attribute values to requested claims of oidc authentication request.
There are few special claims/attributes that are always returned regardless off attribute filtering, Special Claims.
The first example releases a attribute to all openid rps (and only for those).
The second example releases attributes to a specific openid rp if scope value info is set to request.
<AttributeFilterPolicy id="ALL_OPENID_CLIENTS">
<PolicyRequirementRule xsi:type="oidcext:OIDCScope" value="openid" />
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
<AttributeFilterPolicy id="DEMO_RP_SCOPE_INFO">
<PolicyRequirementRule xsi:type="AND">
<Rule xsi:type="Requester" value="demo_rp" />
<Rule xsi:type="oidcext:OIDCScope" value="info" />
</PolicyRequirementRule>
<AttributeRule attributeID="eduPersonAffiliation">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>