<?xml version="1.0" encoding="UTF-8"?> <AttributeFilterPolicyGroup id="ShibbolethFilterPolicy" xmlns="urn:mace:shibboleth:2.0:afp" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd"> <!-- Examples of entityId based release to a demo Service Providers --> <AttributeFilterPolicy id="demosp"> <PolicyRequirementRule xsi:type="OR"> <Rule xsi:type="Requester" value="https://demosp.sanet.sk/sp" /> </PolicyRequirementRule> <AttributeRule attributeID="givenName" permitAny="true" /> <AttributeRule attributeID="sn" permitAny="true" /> <AttributeRule attributeID="displayName" permitAny="true" /> <AttributeRule attributeID="cn" permitAny="true" /> <AttributeRule attributeID="mail" permitAny="true" /> <AttributeRule attributeID="eduPersonAssurance" permitAny="true" /> <AttributeRule attributeID="eduPersonAffiliation" permitAny="true" /> <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" /> <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" /> <AttributeRule attributeID="eduPersonEntitlement" permitAny="true" /> <AttributeRule attributeID="o" permitAny="true" /> <AttributeRule attributeID="samlPairwiseID" permitAny="true" /> <AttributeRule attributeID="samlSubjectID" permitAny="true" /> <AttributeRule attributeID="schacHomeOrganization" permitAny="true" /> <AttributeRule attributeID="schacHomeOrganizationType" permitAny="true" /> <AttributeRule attributeID="schacPersonalUniqueCode" permitAny="true" /> </AttributeFilterPolicy> <!-- Rule to honour Subject ID requirement tag in metadata. --> <!-- Used in combination with GEANT/REFEDS Code of Conduct v* --> <!-- Code of Conduct can be combined with other entity categories --> <AttributeFilterPolicy id="subject-identifiers"> <PolicyRequirementRule xsi:type="OR"> <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1"/> <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="https://refeds.org/category/code-of-conduct/v2"/> </PolicyRequirementRule> <AttributeRule attributeID="samlPairwiseID"> <PermitValueRule xsi:type="OR"> <Rule xsi:type="EntityAttributeExactMatch" attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="pairwise-id" /> <Rule xsi:type="EntityAttributeExactMatch" attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="any" /> </PermitValueRule> </AttributeRule> <AttributeRule attributeID="samlSubjectID"> <PermitValueRule xsi:type="EntityAttributeExactMatch" attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="subject-id" /> </AttributeRule> </AttributeFilterPolicy> <!-- REFEDS Research and Scholarship --> <!-- https://refeds.org/category/research-and-scholarship --> <!-- https://www.eduid.cz/cs/tech/categories/rs --> <AttributeFilterPolicy id="releasetoRandS"> <PolicyRequirementRule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship"/> <!-- RandS requires: An identifier, email and a person's name. If ePPN values could be reassigned you MUST also release eduPersonTargetedID/persistent NameID. Always releasing ePTID/persistent NameID is recommended, though. As is releasing givenName+sn in addition to displayName, to help with interoperability. --> <AttributeRule attributeID="eduPersonAssurance" permitAny="true" /> <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" /> <AttributeRule attributeID="eduPersonTargetedID" permitAny="true" /> <AttributeRule attributeID="mail" permitAny="true" /> <AttributeRule attributeID="displayName" permitAny="true" /> <AttributeRule attributeID="givenName" permitAny="true" /> <AttributeRule attributeID="sn" permitAny="true" /> <!-- Affiliation is optional but release is "strongly recommended". --> <AttributeRule attributeID="eduPersonScopedAffiliation"> <PermitValueRule xsi:type="OR"> <Rule xsi:type="Value" value="faculty" caseSensitive="false"/> <Rule xsi:type="Value" value="student" caseSensitive="false"/> <Rule xsi:type="Value" value="staff" caseSensitive="false"/> <Rule xsi:type="Value" value="alum" caseSensitive="false"/> <Rule xsi:type="Value" value="member" caseSensitive="false"/> <Rule xsi:type="Value" value="affiliate" caseSensitive="false"/> <Rule xsi:type="Value" value="employee" caseSensitive="false"/> <Rule xsi:type="Value" value="library-walk-in" caseSensitive="false"/> </PermitValueRule> </AttributeRule> </AttributeFilterPolicy> <!-- GEANT Data protection Code of Conduct or REFEDS Data Protection Code of Conduct Entity Category --> <!-- Release data to EU/EEA/Adequate CoCo-SPs, based on RequestedAttributes in SAML metadata --> <AttributeFilterPolicy id="GeantEEADataProtectionCodeOfConduct"> <PolicyRequirementRule xsi:type="OR"> <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" /> <Rule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="https://refeds.org/category/code-of-conduct/v2" /> </PolicyRequirementRule> <AttributeRule attributeID="displayName"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="givenName"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="sn"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="cn"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true"/> </AttributeRule> <AttributeRule attributeID="mail"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="eduPersonAssurance"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="eduPersonAffiliation"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="eduPersonScopedAffiliation"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="eduPersonTargetedID"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false" /> </AttributeRule> <!-- Deprecated, unlikely to be used in the future <AttributeRule attributeID="eduPersonUniqueId"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> --> <AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> </AttributeRule> <AttributeRule attributeID="eduPersonEntitlement"> <PermitValueRule xsi:type="AND"> <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> <Rule xsi:type="OR"> <Rule xsi:type="Value" value="urn:mace:dir:entitlement:common-lib-terms"/> <Rule xsi:type="Value" value="urn:mace:terena.org:tcs:personal-user"/> </Rule> </PermitValueRule> </AttributeRule> <!-- ESI release tracks the members of ESI Entity Category instead of CoCo EC <AttributeRule attributeID="schacPersonalUniqueCode"> <PermitValueRule xsi:type="AND"> <Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" /> <Rule xsi:type="ValueRegex" regex="^urn:schac:personalUniqueCode:int:esi:.*$" /> </PermitValueRule> </AttributeRule> --> <AttributeRule attributeID="schacHomeOrganization"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false" /> </AttributeRule> <AttributeRule attributeID="schacHomeOrganizationType"> <PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false" /> </AttributeRule> </AttributeFilterPolicy> <!-- ESI European Student Identifier --> <AttributeFilterPolicy id="entity-category-european-student-identifier"> <PolicyRequirementRule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="https://myacademicid.org/entity-categories/esi" /> <AttributeRule attributeID="schacPersonalUniqueCode"> <PermitValueRule xsi:type="ValueRegex" regex="^urn:schac:personalUniqueCode:int:esi:.*" /> </AttributeRule> <AttributeRule attributeID="eduPersonEntitlement"> <PermitValueRule xsi:type="AND"> <Rule xsi:type="AttributeInMetadata" onlyIfRequired="false" /> <Rule xsi:type="Value" value="urn:geant:erasmuswithoutpaper.eu:ewp:admin"/> </PermitValueRule> </AttributeRule> </AttributeFilterPolicy> <!-- Release to TCS portal --> <AttributeFilterPolicy id="TCSportal"> <PolicyRequirementRule xsi:type="Requester" value="https://cert-manager.com/shibboleth" /> <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" /> <AttributeRule attributeID="displayName" permitAny="true" /> <AttributeRule attributeID="cn" permitAny="true" /> <AttributeRule attributeID="givenName" permitAny="true" /> <AttributeRule attributeID="sn" permitAny="true" /> <AttributeRule attributeID="mail" permitAny="true" /> <AttributeRule attributeID="schacHomeOrganization" permitAny="true" /> <AttributeRule attributeID="eduPersonEntitlement"> <PermitValueRule xsi:type="Value" value="urn:mace:terena.org:tcs:personal-user" /> </AttributeRule> </AttributeFilterPolicy> <!-- Fallback attribute release to anyone --> <!-- Adjust the list to match a local privacy policy --> <AttributeFilterPolicy id="DataToAnyServiceViaTrustedMetadata"> <PolicyRequirementRule xsi:type="ANY"/> <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" /> <AttributeRule attributeID="schacHomeOrganization" permitAny="true" /> </AttributeFilterPolicy> <!-- transient ID release is enabled by default --> <!-- <AttributeFilterPolicy id="releaseTransientIdToAnyone"> <PolicyRequirementRule xsi:type="ANY" /> <AttributeRule attributeID="transientId"> <PermitValueRule xsi:type="ANY" /> </AttributeRule> </AttributeFilterPolicy> --> </AttributeFilterPolicyGroup>