A simple <PermitValueRule xsi:type="basic:AttributeValueString" value="E-ResourcesAdmins" ignoreCase="true" /> should do the trick I think. (i.e. no child <Rule>s)
I think the format is obtuse because allowing arbitrary nested XML tags (i.e. the boolean logic) around the "real" XML tags (i.e. the individual rules) will necessitate horrible XML schema with an obtuse format... So it's an undesirable but necessary side effect of having the flexibility required by people to build the rules.
R.
On 4 Dec 2009, at 10:48, Andy Swiffin wrote:
> Me again :-)
>
> I'm tidying up my release policy for my Shib 2 IdP. While I could blanket release all values of eduPersonEntitlement to everyone I thought I'd be tidy and just release the specific values required to just those SPs who want them.
>
> To test this, we have a value E-ResourcesAdmins (yes, I know its not a URI!) I want to release to our EZProxy, so, following https://spaces.internet2.edu/display/SHIB2/IdPAddAttributeFilterExamples#IdPAddAttributeFilterExamples-ex3 in attribute-filter.xml I did:
>
> <AttributeFilterPolicy id="libproxy">
> <PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://libproxy.dundee.ac.uk/shibboleth" />
> <AttributeRule attributeID="eduPersonEntitlement">
>
> <PermitValueRule xsi:type="basic:OR">
> <basic:Rule xsi:type="basic:AttributeValueString" value="E-ResourcesAdmins" ignoreCase="true" />
> </PermitValueRule>
>
> </AttributeRule>
> </AttributeFilterPolicy>
>
> NB, I only have one value I want to release, but can't see anything other than basic:OR that works. I get my wrists slapped with the following in the idp-process log:
>
> 10:25:08.175 - ERROR [edu.internet2.middleware.shibboleth.common.config.BaseService:187] - Configuration was not loaded for shibboleth.AttributeFilterEngine service, error creating components. The root cause of this error was: org.xml.sax.SAXParseException: cvc-complex-type.2.4.b: The content of element 'PermitValueRule' is not complete. One of '{"urn:mace:shibboleth:2.0:afp:mf:basic":Rule, "urn:mace:shibboleth:2.0:afp:mf:basic":RuleReference}' is expected
>
> If I put
>
> <PermitValueRule xsi:type="basic:OR">
> <basic:Rule xsi:type="basic:AttributeValueString" value="E-ResourcesAdmins" ignoreCase="true" />
> <basic:Rule xsi:type="basic:AttributeValueString" value="E-ResourcesAdmins" ignoreCase="true" />
> </PermitValueRule>
>
> or for that matter any garbage for the second value, it's quite happy.
>
> So, if I have but one value that I want to release to a particular SP, any ideas how I'm meant to do it?
>
>
> BTW, is there a particular reason why the syntax of this file is so obtuse?
>
> TIA
> Confused of Dundee
>
>
>
> The University of Dundee is a registered Scottish charity, No: SC015096
--
----------------------------------------------------------------------
Rhys Smith e: [log in to unmask]
Engineering Consultant: Identity & Access Management (GPG:0xDE2F024C)
Information Services,
Cardiff University, t: +44 (0) 29 2087 0126
39-41 Park Place, Cardiff, f: +44 (0) 29 2087 4285
CF10 3BB, United Kingdom. m: +44 (0) 7968 087 821
----------------------------------------------------------------------
|