[prev in list] [next in list] [prev in thread] [next in thread]
List: shibboleth-users
Subject: Re: relaxed scoped attribute checking
From: "Cantor, Scott" <cantor.2 () osu ! edu>
Date: 2014-05-17 15:48:31
Message-ID: CF9D4258.CED0%cantor.2 () osu ! edu
[Download RAW message or body]
On 5/16/14, 10:30 PM, "Peter Schober" <peter.schober@univie.ac.at> wrote:
>From a quick look one way to do that would be to change the default
>"ScopingRules" PermitValueRule type from AND to OR and 'or' anything
>that exists together with another rule like of type
>"basic:AttributeIssuerString" and value="https://idp.example.org/entity".
To avoid losing the regex check, you probably want something like:
<afp:PermitValueRule id="ScopingRules" xsi:type="AND">
<Rule xsi:type="NOT">
<Rule xsi:type="AttributeValueRegex" regex="@"/>
</Rule>
<Rule xsi:type="OR">
<Rule xsi:type="saml:AttributeScopeMatchesShibMDScope"/>
<Rule xsi:type="AttributeIssuerString" value="entityID"/>
</Rule>
</afp:PermitValueRule>
(default namespace in my file is the "basic" one, that's why the rule
types don't have basic: in front of them)
-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic