<?xml version="1.0" encoding="UTF-8"?>
<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
xmlns="urn:mace:shibboleth:2.0:afp"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
<!-- Examples of entityId based release to a demo Service Providers -->
<AttributeFilterPolicy id="demosp">
<PolicyRequirementRule xsi:type="OR">
<Rule xsi:type="Requester" value="https://demosp.sanet.sk/sp" />
</PolicyRequirementRule>
<AttributeRule attributeID="givenName" permitAny="true" />
<AttributeRule attributeID="sn" permitAny="true" />
<AttributeRule attributeID="displayName" permitAny="true" />
<AttributeRule attributeID="cn" permitAny="true" />
<AttributeRule attributeID="mail" permitAny="true" />
<AttributeRule attributeID="eduPersonAssurance" permitAny="true" />
<AttributeRule attributeID="eduPersonAffiliation" permitAny="true" />
<AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" />
<AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
<AttributeRule attributeID="eduPersonEntitlement" permitAny="true" />
<AttributeRule attributeID="o" permitAny="true" />
<AttributeRule attributeID="samlPairwiseID" permitAny="true" />
<AttributeRule attributeID="samlSubjectID" permitAny="true" />
<AttributeRule attributeID="schacHomeOrganization" permitAny="true" />
<AttributeRule attributeID="schacHomeOrganizationType" permitAny="true" />
<AttributeRule attributeID="schacPersonalUniqueCode" permitAny="true" />
</AttributeFilterPolicy>
<!-- Rule to honour Subject ID requirement tag in metadata. -->
<!-- Used in combination with GEANT/REFEDS Code of Conduct v* -->
<!-- Code of Conduct can be combined with other entity categories -->
<AttributeFilterPolicy id="subject-identifiers">
<PolicyRequirementRule xsi:type="OR">
<Rule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1"/>
<Rule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="https://refeds.org/category/code-of-conduct/v2"/>
</PolicyRequirementRule>
<AttributeRule attributeID="samlPairwiseID">
<PermitValueRule xsi:type="OR">
<Rule xsi:type="EntityAttributeExactMatch"
attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="pairwise-id" />
<Rule xsi:type="EntityAttributeExactMatch"
attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="any" />
</PermitValueRule>
</AttributeRule>
<AttributeRule attributeID="samlSubjectID">
<PermitValueRule xsi:type="EntityAttributeExactMatch"
attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req"
attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
attributeValue="subject-id" />
</AttributeRule>
</AttributeFilterPolicy>
<!-- REFEDS Research and Scholarship -->
<!-- https://refeds.org/category/research-and-scholarship -->
<!-- https://www.eduid.cz/cs/tech/categories/rs -->
<AttributeFilterPolicy id="releasetoRandS">
<PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://refeds.org/category/research-and-scholarship"/>
<!-- RandS requires: An identifier, email and a person's name.
If ePPN values could be reassigned you MUST also release
eduPersonTargetedID/persistent NameID. Always releasing ePTID/persistent
NameID is recommended, though. As is releasing givenName+sn
in addition to displayName, to help with interoperability. -->
<AttributeRule attributeID="eduPersonAssurance" permitAny="true" />
<AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" />
<AttributeRule attributeID="eduPersonTargetedID" permitAny="true" />
<AttributeRule attributeID="mail" permitAny="true" />
<AttributeRule attributeID="displayName" permitAny="true" />
<AttributeRule attributeID="givenName" permitAny="true" />
<AttributeRule attributeID="sn" permitAny="true" />
<!-- Affiliation is optional but release is "strongly recommended". -->
<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="OR">
<Rule xsi:type="Value" value="faculty" caseSensitive="false"/>
<Rule xsi:type="Value" value="student" caseSensitive="false"/>
<Rule xsi:type="Value" value="staff" caseSensitive="false"/>
<Rule xsi:type="Value" value="alum" caseSensitive="false"/>
<Rule xsi:type="Value" value="member" caseSensitive="false"/>
<Rule xsi:type="Value" value="affiliate" caseSensitive="false"/>
<Rule xsi:type="Value" value="employee" caseSensitive="false"/>
<Rule xsi:type="Value" value="library-walk-in" caseSensitive="false"/>
</PermitValueRule>
</AttributeRule>
</AttributeFilterPolicy>
<!-- GEANT Data protection Code of Conduct or REFEDS Data Protection Code of Conduct Entity Category -->
<!-- Release data to EU/EEA/Adequate CoCo-SPs, based on RequestedAttributes in SAML metadata -->
<AttributeFilterPolicy id="GeantEEADataProtectionCodeOfConduct">
<PolicyRequirementRule xsi:type="OR">
<Rule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="http://www.geant.net/uri/dataprotection-code-of-conduct/v1" />
<Rule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="https://refeds.org/category/code-of-conduct/v2" />
</PolicyRequirementRule>
<AttributeRule attributeID="displayName">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="sn">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="cn">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true"/>
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="eduPersonAssurance">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="eduPersonAffiliation">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="eduPersonTargetedID">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false" />
</AttributeRule>
<!-- Deprecated, unlikely to be used in the future
<AttributeRule attributeID="eduPersonUniqueId">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
-->
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
</AttributeRule>
<AttributeRule attributeID="eduPersonEntitlement">
<PermitValueRule xsi:type="AND">
<Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
<Rule xsi:type="OR">
<Rule xsi:type="Value" value="urn:mace:dir:entitlement:common-lib-terms"/>
<Rule xsi:type="Value" value="urn:mace:terena.org:tcs:personal-user"/>
</Rule>
</PermitValueRule>
</AttributeRule>
<!-- ESI release tracks the members of ESI Entity Category instead of CoCo EC
<AttributeRule attributeID="schacPersonalUniqueCode">
<PermitValueRule xsi:type="AND">
<Rule xsi:type="AttributeInMetadata" onlyIfRequired="true" />
<Rule xsi:type="ValueRegex" regex="^urn:schac:personalUniqueCode:int:esi:.*$" />
</PermitValueRule>
</AttributeRule>
-->
<AttributeRule attributeID="schacHomeOrganization">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false" />
</AttributeRule>
<AttributeRule attributeID="schacHomeOrganizationType">
<PermitValueRule xsi:type="AttributeInMetadata" onlyIfRequired="false" />
</AttributeRule>
</AttributeFilterPolicy>
<!-- ESI European Student Identifier -->
<AttributeFilterPolicy id="entity-category-european-student-identifier">
<PolicyRequirementRule xsi:type="EntityAttributeExactMatch"
attributeName="http://macedir.org/entity-category"
attributeValue="https://myacademicid.org/entity-categories/esi" />
<AttributeRule attributeID="schacPersonalUniqueCode">
<PermitValueRule xsi:type="ValueRegex" regex="^urn:schac:personalUniqueCode:int:esi:.*" />
</AttributeRule>
<AttributeRule attributeID="eduPersonEntitlement">
<PermitValueRule xsi:type="AND">
<Rule xsi:type="AttributeInMetadata" onlyIfRequired="false" />
<Rule xsi:type="Value" value="urn:geant:erasmuswithoutpaper.eu:ewp:admin"/>
</PermitValueRule>
</AttributeRule>
</AttributeFilterPolicy>
<!-- Release to TCS portal -->
<AttributeFilterPolicy id="TCSportal">
<PolicyRequirementRule xsi:type="Requester" value="https://cert-manager.com/shibboleth" />
<AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" />
<AttributeRule attributeID="displayName" permitAny="true" />
<AttributeRule attributeID="cn" permitAny="true" />
<AttributeRule attributeID="givenName" permitAny="true" />
<AttributeRule attributeID="sn" permitAny="true" />
<AttributeRule attributeID="mail" permitAny="true" />
<AttributeRule attributeID="schacHomeOrganization" permitAny="true" />
<AttributeRule attributeID="eduPersonEntitlement">
<PermitValueRule xsi:type="Value" value="urn:mace:terena.org:tcs:personal-user" />
</AttributeRule>
</AttributeFilterPolicy>
<!-- Fallback attribute release to anyone -->
<!-- Adjust the list to match a local privacy policy -->
<AttributeFilterPolicy id="DataToAnyServiceViaTrustedMetadata">
<PolicyRequirementRule xsi:type="ANY"/>
<AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" />
<AttributeRule attributeID="schacHomeOrganization" permitAny="true" />
</AttributeFilterPolicy>
<!-- transient ID release is enabled by default -->
<!--
<AttributeFilterPolicy id="releaseTransientIdToAnyone">
<PolicyRequirementRule xsi:type="ANY" />
<AttributeRule attributeID="transientId">
<PermitValueRule xsi:type="ANY" />
</AttributeRule>
</AttributeFilterPolicy>
-->
</AttributeFilterPolicyGroup>