Rearange template files. Start on templating

author: Markus Krogh <markus@nordu.net> 2017-10-02 14:20:48 +0200
committer: Markus Krogh <markus@nordu.net> 2017-10-02 14:20:48 +0200
commit: aab254a9894c8d04679e7aeffcab22f35eeadf7d (patch)
tree: 5462a2124adf3d4de99b107835b53ea3fd53d172 /idp/templates/config/attribute-filter.xml
parent: 818063992c86ac7e6f6b085e6d97886a23af5512 (diff)
1 files changed, 283 insertions, 0 deletions
diff --git a/idp/templates/config/attribute-filter.xml b/idp/templates/config/attribute-filter.xml
new file mode 100644
index 0000000..3514282
--- /dev/null
+++ b/idp/templates/config/attribute-filter.xml
@@ -0,0 +1,283 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    This file is an EXAMPLE policy file.  While the policy presented in this
+    example file is illustrative of some simple cases, it relies on the names of
+    non-existent example services and the example attributes demonstrated in the
+    default attribute-resolver.xml file.
+
+    Deployers should refer to the documentation for a complete list of components
+    and their options.
+-->
+<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
+  xmlns="urn:mace:shibboleth:2.0:afp"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
+
+  <AttributeFilterPolicy id="releaseTransientIdToAnyone">
+    <PolicyRequirementRule xsi:type="ANY" />
+
+    <AttributeRule attributeID="transientId">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="persistentId">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+  </AttributeFilterPolicy>
+
+
+  <!-- GEANT Data protection Code of Conduct -->
+  <AttributeFilterPolicy id="releaseToCoCo">
+    <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+      attributeName="http://macedir.org/entity-category"
+      attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" />
+    <AttributeRule attributeID="displayName">
+      <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+    </AttributeRule>
+    <AttributeRule attributeID="cn">
+      <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+    </AttributeRule>
+    <AttributeRule attributeID="email">
+      <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonPrincipalName">
+      <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonScopedAffiliation">
+      <PermitValueRule xsi:type="AND">
+        <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+        <Rule xsi:type="OR">
+          <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+          <Rule xsi:type="Value" value="student" ignoreCase="true" />
+          <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+          <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+          <Rule xsi:type="Value" value="member" ignoreCase="true" />
+          <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+          <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+          <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+        </Rule>
+      </PermitValueRule>
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonAffiliation">
+      <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+    </AttributeRule>
+    <AttributeRule attributeID="schacHomeOrganization">
+      <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+    </AttributeRule>
+    <AttributeRule attributeID="schacHomeOrganizationType">
+      <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
+    </AttributeRule>
+  </AttributeFilterPolicy>
+
+  <!-- REFEDS Research and Schoolarship -->
+  <AttributeFilterPolicy id="releaseToRandS">
+    <PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
+      attributeName="http://macedir.org/entity-category"
+      attributeValue="http://refeds.org/category/research-and-scholarship" />
+
+    <AttributeRule attributeID="displayName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="givenName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="surname">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="email">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonPrincipalName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonScopedAffiliation">
+      <PermitValueRule xsi:type="OR">
+        <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+        <Rule xsi:type="Value" value="student" ignoreCase="true" />
+        <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+        <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+        <Rule xsi:type="Value" value="member" ignoreCase="true" />
+        <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+        <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+        <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+      </PermitValueRule>
+    </AttributeRule>
+  </AttributeFilterPolicy>
+
+  <!-- entity-category-swamid-research-and-education -->
+  <AttributeFilterPolicy id="entity-category-research-and-education">
+    <PolicyRequirementRule xsi:type="AND">
+      <Rule xsi:type="OR">
+        <Rule xsi:type="EntityAttributeExactMatch"
+          attributeName="http://macedir.org/entity-category"
+          attributeValue="http://www.swamid.se/category/eu-adequate-protection" />
+        <Rule xsi:type="EntityAttributeExactMatch"
+          attributeName="http://macedir.org/entity-category"
+          attributeValue="http://www.swamid.se/category/nren-service" />
+        <Rule xsi:type="EntityAttributeExactMatch"
+          attributeName="http://macedir.org/entity-category"
+          attributeValue="http://www.swamid.se/category/hei-service" />
+      </Rule>
+      <Rule xsi:type="EntityAttributeExactMatch"
+        attributeName="http://macedir.org/entity-category"
+        attributeValue="http://www.swamid.se/category/research-and-education" />
+    </PolicyRequirementRule>
+
+    <AttributeRule attributeID="givenName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="surname">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="displayName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonPrincipalName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonAssurance">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="email">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonScopedAffiliation">
+      <PermitValueRule xsi:type="OR">
+        <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+        <Rule xsi:type="Value" value="student" ignoreCase="true" />
+        <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+        <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+        <Rule xsi:type="Value" value="member" ignoreCase="true" />
+        <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+        <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+        <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+      </PermitValueRule>
+    </AttributeRule>
+    <AttributeRule attributeID="organizationName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="norEduOrgAcronym">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="countryName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="friendlyCountryName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="schacHomeOrganization">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+  </AttributeFilterPolicy>
+
+  <!-- Release some attributes to an SP. -->
+  <!-- Note: requester seems to need the path /shibboleth to be included to match this! -->
+  <AttributeFilterPolicy id="sp.nordu.dev">
+    <PolicyRequirementRule xsi:type="Requester" value="https://sp.nordu.dev/shibboleth" />
+    <!-- <PolicyRequirementRule xsi:type="ANY" /> -->
+    <AttributeRule attributeID="eduPersonPrincipalName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="uid">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="mail">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="givenName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="surname">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="displayName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="commonName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="employeeType">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="email">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonEntitlement">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="mailLocalAddress">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonScopedAffiliation">
+      <PermitValueRule xsi:type="OR">
+        <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+        <Rule xsi:type="Value" value="student" ignoreCase="true" />
+        <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+        <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+        <Rule xsi:type="Value" value="member" ignoreCase="true" />
+        <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+        <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+        <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+      </PermitValueRule>
+    </AttributeRule>
+    <AttributeRule attributeID="organizationName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+  </AttributeFilterPolicy>
+
+  <!-- ukfederation + incommon -->
+  <AttributeFilterPolicy id="everyoneInSwamidFeed">
+    <PolicyRequirementRule xsi:type="InEntityGroup" groupID="http://mds.swamid.se/md/swamid-2.0.xml" />
+    <AttributeRule attributeID="givenName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="surname">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="displayName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="commonName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonPrincipalName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="email">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonEntitlement">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonTargetedID">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="eduPersonScopedAffiliation">
+      <PermitValueRule xsi:type="OR">
+        <Rule xsi:type="Value" value="faculty" ignoreCase="true" />
+        <Rule xsi:type="Value" value="student" ignoreCase="true" />
+        <Rule xsi:type="Value" value="staff" ignoreCase="true" />
+        <Rule xsi:type="Value" value="alum" ignoreCase="true" />
+        <Rule xsi:type="Value" value="member" ignoreCase="true" />
+        <Rule xsi:type="Value" value="affiliate" ignoreCase="true" />
+        <Rule xsi:type="Value" value="employee" ignoreCase="true" />
+        <Rule xsi:type="Value" value="library-walk-in" ignoreCase="true" />
+      </PermitValueRule>
+    </AttributeRule>
+    <AttributeRule attributeID="organizationName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="norEduOrgAcronym">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="countryName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="friendlyCountryName">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+    <AttributeRule attributeID="schacHomeOrganization">
+      <PermitValueRule xsi:type="ANY" />
+    </AttributeRule>
+  </AttributeFilterPolicy>
+
+</AttributeFilterPolicyGroup>
author	Markus Krogh <markus@nordu.net>	2017-10-02 14:20:48 +0200
committer	Markus Krogh <markus@nordu.net>	2017-10-02 14:20:48 +0200
commit	aab254a9894c8d04679e7aeffcab22f35eeadf7d (patch)
tree	5462a2124adf3d4de99b107835b53ea3fd53d172 /idp/templates/config/attribute-filter.xml
parent	818063992c86ac7e6f6b085e6d97886a23af5512 (diff)