xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:afp classpath:/schema/shibboleth-2.0-afp.xsd
urn:mace:shibboleth:2.0:afp:mf:basic classpath:/schema/shibboleth-2.0-afp-mf-basic.xsd ">
-
- <AttributeFilterPolicy id="Anyone">
+
+ <!--
+ Releases to anyone:
+ * any value of uid
+ * only the member value of affiliation
+ -->
+ <AttributeFilterPolicy id="ReleaseToAnyone">
<PolicyRequirementRule xsi:type="basic:ANY" />
<AttributeRule attributeID="uid">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
- <AttributeRule attributeID="cn">
+ <AttributeRule attributeID="affiliation">
+ <PermitValueRule value="member"
+ xsi:type="basic:AttributeValueString"/>
+ </AttributeRule>
+
+ </AttributeFilterPolicy>
+
+ <!--
+ Releases to only SP 1:
+ * any value of uid
+ * scoped primary affiliation if the scope is the IdP 1 and the value is staff, faculty, or student
+ * any value of affiliation
+ * any value of full name
+ -->
+ <AttributeFilterPolicy id="ReleaseToSP1">
+ <PolicyRequirementRule value="urn:example.org:myFederation:sp1"
+ xsi:type="basic:AttributeRequesterString" />
+
+ <AttributeRule attributeID="uid">
+ <PermitValueRule xsi:type="basic:ANY" />
+ </AttributeRule>
+
+ <AttributeRule attributeID="scopedPrimaryAffiliation">
+ <PermitValueRule xsi:type="basic:AND">
+ <basic:Rule value="urn:example.org:myFederation:idp1"
+ xsi:type="AttributeScopeString" />
+ <basic:Rule xsi:type="basic:OR">
+ <basic:Rule value="staff"
+ xsi:type="AttributeValueString" />
+ <basic:Rule value="faculty"
+ xsi:type="AttributeValueString" />
+ <basic:Rule value="student"
+ xsi:type="AttributeValueString" />
+ </basic:Rule>
+ </PermitValueRule>
+ </AttributeRule>
+
+ <AttributeRule attributeID="affiliation">
+ <PermitValueRule xsi:type="basic:ANY" />
+ </AttributeRule>
+
+ <AttributeRule attributeID="fullName">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
urn:mace:shibboleth:2.0:resolver:ad classpath:/schema/shibboleth-2.0-attribute-resolver-ad.xsd
urn:mace:shibboleth:2.0:resolver:dc classpath:/schema/shibboleth-2.0-attribute-resolver-dc.xsd
urn:mace:shibboleth:2.0:attribute:encoder classpath:/schema/shibboleth-2.0-attribute-encoder.xsd">
-
- <resolver:AttributeDefinition xsi:type="ad:Simple" id="uid">
- <resolver:DataConnectorDependency ref="static" />
- <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" />
+
+ <!-- ========================================== -->
+ <!-- Attribute Definitions -->
+ <!-- ========================================== -->
+
+ <!-- Example attribute defintions -->
+ <!--
+ <resolver:AttributeDefinition id="uid" xsi:type="ad:Simple">
+ <resolver:DataConnectorDependency ref="myLDAP" />
</resolver:AttributeDefinition>
+ -->
- <resolver:AttributeDefinition xsi:type="ad:Simple" id="cn">
- <resolver:DataConnectorDependency ref="static" />
+ <!--
+ <resolver:AttributeDefinition id="scopedPrimaryAffiliation" xsi:type="ad:Scoped">
+ <resolver:DataConnectorDependency ref="staticAttributes" sourceAttributeID="staticEPPA" />
+ <resolver:DataConnectorDependency ref="myLDAP" sourceAttribute="eduPersonPrimaryAffiliation" />
+
+ <resolver:AttributeEncoder xsi:type="SAML1ScopedString"
+ name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"/>
+
+ <resolver:AttributeEncoder xsi:type="SAML2ScopedString"
+ name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"/>
+
+ <resolver:AttributeEncoder xsi:type="SAML2StringNameID" />
+
+ </resolver:AttributeEncoder>
</resolver:AttributeDefinition>
+ -->
- <resolver:AttributeDefinition xsi:type="ad:Simple" id="email">
- <resolver:DataConnectorDependency ref="static" />
+ <!--
+ <resolver:AttributeDefinition id="affiliation" xsi:type="ad:Simple">
+ <resolver:DataConnectorDependency ref="myLDAP" sourceAttribute="eduPersonAffiliation" />
+
+ <resolver:AttributeEncoder xsi:type="SAML1String"
+ name="urn:mace:dir:attribute-def:eduPersondAffiliation"/>
+
+ <resolver:AttributeEncoder xsi:type="SAML2String"
+ name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
+ friendlyName="eduPersonAffiliation"/>
</resolver:AttributeDefinition>
-
- <resolver:DataConnector xsi:type="dc:Static" id="static">
- <dc:Attribute id="uid">
- <dc:Value>testUser</dc:Value>
- </dc:Attribute>
- <dc:Attribute id="cn">
- <dc:Value>Test User</dc:Value>
+ -->
+
+ <!--
+ <resolver:AttributeDefinition id="fullName" xsi:type="Script">
+ <resolver:DataConnectorDependency ref="myLDAP" sourceAttribute="eduPersonAffiliation" />
+
+ <Script>
+ <![CDATA[
+ importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
+ fullname = new BasicAttribute("fullname");
+ fullname.getValues().add(givenName.getValues().first() + " " + sn.getValues().first());
+ ]]>
+ </Script>
+ </resolver:AttributeDefinition>
+ -->
+
+
+ <!-- ========================================== -->
+ <!-- Data Connectors -->
+ <!-- ========================================== -->
+
+ <!-- Example Static Connector -->
+ <!--
+ <resolver:DataConnector id="staticAttributes" xsi:type="dc:Static">
+ <dc:Attribute id="staticEPPA">
+ <dc:Value>member</dc:Value>
</dc:Attribute>
- <dc:Attribute id="email">
- <dc:Value>t.user@example.org</dc:Value>
+ <dc:Attribute id="staticEPE">
+ <dc:Value>urn:example.org:entitlement:entitlement1</dc:Value>
+ <dc:Value>urn:mace:dir:entitlement:common-lib-terms</dc:Value>
</dc:Attribute>
</resolver:DataConnector>
+ -->
+
+ <!-- Example Relational Database Connector -->
+ <!--
+ <resolver:DataConnector id="mySIS" xsi:type="dc:RelationalDatabase">
+ <dc:ApplicationManagedConnection jdbcDriver="oracle.jdbc.driver.OracleDriver"
+ jdbcUrl="jdbc:oracle:thin:@db.example.org:1521:SomeDB"
+ jdbcUserName="myid"
+ jdbcPassword="mypassword" />
+ <dc:QueryTemplate>
+ <![CDATA[
+ SELECT * FROM student WHERE gzbtpid = ${principal}
+ ]]>
+ </dc:QueryTemplate>
+
+ <dc:Column columnName="gzbtpid" attributeID="uid"/>
+ <dc:Column columnName="fqlft" attributeID="gpa" type="Float"/>
+ </resolver:DataConnector>
+ -->
+
+ <!-- Example LDAP Connector -->
+ <!--
+ <resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory"
+ ldapUrl="ldap://ldap.example.org"
+ baseDN="ou=people,dc=example,dc=org"
+ principal="uid=myservice,ou=system"
+ principalCredential="myServicePassword">
+ <dc:FilterTemplate>
+ <![CDATA[
+ (uid=${principal})
+ ]]>
+ </dc:FilterTemplate>
+
+ </resolver:DataConnector>
+ -->
+ <!-- ========================================== -->
+ <!-- Principal Connectors -->
+ <!-- ========================================== -->
<resolver:PrincipalConnector xsi:type="pc:Direct"
id="directPC"
nameIDFormat="urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified" />