[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    Re: relaxed scoped attribute checking
From:       "Cantor, Scott" <cantor.2 () osu ! edu>
Date:       2014-05-17 15:48:31
Message-ID: CF9D4258.CED0%cantor.2 () osu ! edu
[Download RAW message or body]

On 5/16/14, 10:30 PM, "Peter Schober" <peter.schober@univie.ac.at> wrote:

>From a quick look one way to do that would be to change the default
>"ScopingRules" PermitValueRule type from AND to OR and 'or' anything
>that exists together with another rule like of type
>"basic:AttributeIssuerString" and value="https://idp.example.org/entity".

To avoid losing the regex check, you probably want something like:

<afp:PermitValueRule id="ScopingRules" xsi:type="AND">
	<Rule xsi:type="NOT">
		<Rule xsi:type="AttributeValueRegex" regex="@"/>
	</Rule>
	<Rule xsi:type="OR">
		<Rule xsi:type="saml:AttributeScopeMatchesShibMDScope"/>
		<Rule xsi:type="AttributeIssuerString" value="entityID"/>
	</Rule>
    </afp:PermitValueRule>


(default namespace in my file is the "basic" one, that's why the rule
types don't have basic: in front of them)

-- Scott


--
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
[prev in list] [next in list] [prev in thread] [next in thread]