Me again :-)
I'm tidying up my release policy for my Shib 2 IdP. While I could blanket release all values of eduPersonEntitlement to everyone I thought I'd be tidy and just release the specific values required to just those SPs who want them.
To test this, we have a value E-ResourcesAdmins (yes, I know its not a URI!) I want to release to our EZProxy, so, following https://spaces.internet2.edu/display/SHIB2/IdPAddAttributeFilterExamples#IdPAddAttributeFilterExamples-ex3 in attribute-filter.xml I did:
<AttributeFilterPolicy id="libproxy">
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://libproxy.dundee.ac.uk/shibboleth" />
<AttributeRule attributeID="eduPersonEntitlement">
<PermitValueRule xsi:type="basic:OR">
<basic:Rule xsi:type="basic:AttributeValueString" value="E-ResourcesAdmins" ignoreCase="true" />
</PermitValueRule>
</AttributeRule>
</AttributeFilterPolicy>
NB, I only have one value I want to release, but can't see anything other than basic:OR that works. I get my wrists slapped with the following in the idp-process log:
10:25:08.175 - ERROR [edu.internet2.middleware.shibboleth.common.config.BaseService:187] - Configuration was not loaded for shibboleth.AttributeFilterEngine service, error creating components. The root cause of this error was: org.xml.sax.SAXParseException: cvc-complex-type.2.4.b: The content of element 'PermitValueRule' is not complete. One of '{"urn:mace:shibboleth:2.0:afp:mf:basic":Rule, "urn:mace:shibboleth:2.0:afp:mf:basic":RuleReference}' is expected
If I put
<PermitValueRule xsi:type="basic:OR">
<basic:Rule xsi:type="basic:AttributeValueString" value="E-ResourcesAdmins" ignoreCase="true" />
<basic:Rule xsi:type="basic:AttributeValueString" value="E-ResourcesAdmins" ignoreCase="true" />
</PermitValueRule>
or for that matter any garbage for the second value, it's quite happy.
So, if I have but one value that I want to release to a particular SP, any ideas how I'm meant to do it?
BTW, is there a particular reason why the syntax of this file is so obtuse?
TIA
Confused of Dundee
The University of Dundee is a registered Scottish charity, No: SC015096
|