-
Notifications
You must be signed in to change notification settings - Fork 7
AttributeFilterConfiguration
For basic attribute filtering you should refer to Shibboleth IdP 3 AttributeFilterConfiguration. Here we document the additional policy rules and matchers provided by shibboleth oidc extension. Please note that you do not need to use oidc specific policy rules or matchers to release claims to relying party, they really are only a addition to existing toolset.
You should note that there are few special claims/attributes that are always returned regardless off attribute filtering, Special Claims.
The topic of Splitting Claims is documented for more advanced use cases.
OIDC extension RuleTypes for AttributeFilterPolicyConfiguration
- oidcext:OIDCScope, PolicyRule for comparing the scope values of the authentication request to a string.
- oidcext:AttributeInOIDCRequestedClaims, Matcher for comparing the attribute values to requested claims of oidc authentication request.
The first example releases a attribute to all openid connect relying parties (and only for those).
The second example releases attributes to a specific openid connect relying party if scope value info is set to request.
<AttributeFilterPolicy id="ALL_OPENID_CLIENTS">
<PolicyRequirementRule xsi:type="oidcext:OIDCScope" value="openid" />
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
<AttributeFilterPolicy id="DEMO_RP_SCOPE_INFO">
<PolicyRequirementRule xsi:type="AND">
<Rule xsi:type="Requester" value="demo_rp" />
<Rule xsi:type="oidcext:OIDCScope" value="info" />
</PolicyRequirementRule>
<AttributeRule attributeID="eduPersonAffiliation">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>