From af3487b9c4a9b630d88b55c2bcc4bedf257cab4a Mon Sep 17 00:00:00 2001 From: Björn Mattsson Date: Thu, 19 Oct 2023 16:05:58 +0200 Subject: Added files from Wiki + base files for repo --- schema/shibboleth-afp.xsd | 952 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 952 insertions(+) create mode 100644 schema/shibboleth-afp.xsd (limited to 'schema/shibboleth-afp.xsd') diff --git a/schema/shibboleth-afp.xsd b/schema/shibboleth-afp.xsd new file mode 100644 index 0000000..9af7009 --- /dev/null +++ b/schema/shibboleth-afp.xsd @@ -0,0 +1,952 @@ + + + + + + + Schema for the attribute filter policies. + + + + + + Root element of the attribute filter policy. Represents a named group of filter policies. + + + + + + + + + + + Defines a set of applications requirements that may be reused across multiple filter + policies. + + + + + + + Defines a permit value rule that may be reused across multiple attribute rules. + + + + + + + Defines a deny value rule that may be reused across multiple attribute rules. + + + + + + + Defines an attribute rule that may be reused across multiple filter policies. + + + + + + + A policy that defines the set of attribute value filters that will be applied if its + application requirements are met. + + + + + + + Digital signature for the policy. Policies that are fetched from an external source, + such as a federation site, should be signed. + + + + + + + + + + + + A policy that defines a set of attribute value filters rules that should be used if given requirements + are met. + + + + + + + + + + + A requirement that if met signals that this filter policy should be used. + + + + + + + A rule that describes how values of an attribute will be filtered. + + + + + + + + + + + A rule that describes how values of an attribute will be filtered. + + + + + + + + + + + + Reference to a PermitValueRule defined within this policy group or another. + + + + + + + + + + Reference to a DenyValueRule defined within this policy group or another. + + + + + + + + The ID of the attribute to which this rule applies. + + + + + If present, and true injects an implicit permit value rule of type ANY + + + + + + + + + A requirement that if met signals that a filter policy should be used. + + + + + + A filter for attribute values. If the filter evaluates to true the value is permitted to be released. + + + + + + + A filter for attribute values. If the filter evaluates to true the value is denied and may not be released. + + + + + + + + + + + + + An ID, unique within the policy and component type. + + + + + + + + Used to reference a globally defined policy component. + + + + + + + + A match function that evaluates to true. + + + + + + + + + + A match function that evaluates to true. + + + + + + + + + A match function that evaluates to true. + + + + + + + + + + + A match function that performs a logical AND on the results of all contained matching functions. + + + + + + + + + The set of match function rules to be ANDed. + + + + + + + + + + + + A match function that performs a logical OR on the results of all contained matching functions. + + + + + + + + + The set of match function rules to be ORed. + + + + + + + + + + + + A match function that performs a logical NOT on the result of the contained matching function. + + + + + + + + + The set of match function rules to be negated. + + + + + + + + + + + + + A match function that matches the attribute request against the + specified value. + + + + + + + + The reference to an externally defined bean to do the predicate work + + + + + + + + + + + + A match function that matches the attribute requester against the specified value. + + + + + + + + + + + A match function that matches a proxied attribute requester against the specified value. + + + + + + + + + + + A match function that matches the attribute issuer against the specified value. + + + + + + + + + + A match function that matches the principal name against the specified value. + + + + + + + + + A match function that matches the active profile identifier against the specified value. + + + + + + + + + + A match function that matches the value of an attribute against the specified value. This match + evaluates to true if the attribute contains the specified value. + + + + + + + + + + + A match function that matches the attribute scope against the specified value. + + + + + + + + + + + + + + The ID of the attribute whose value should be matched. If no attribute ID is specified the + ID of the containing attribute rule is assumed. + + + + + + + + + + + + + The string value to match. + + + + + + A boolean flag indicating whether the match evaluation should be case sensitive. + + + + + + + + + + + + A match function that matches the attribute requester against the specified regular expression. + + + + + + + + + + + A match function that matches a proxied attribute requester against the specified regular expression. + + + + + + + + + + + A match function that matches the attribute issuer against the specified regular expression. + + + + + + + + + + + A match function that matches the principal name against the specified regular expression. + + + + + + + + + + + A match function that matches an attribute value against the specified regular expression. This function + evaluates to true if any value matches the given expression. + + + + + + + + + + + A match function that matches the attribute scope against the specified regular expression. + + + + + + + + + + + + + + The ID of the attribute whose value should be matched. If no attribute ID is specified the + ID of the containing attribute rule is assumed. + + + + + + + + + + + + + The regular expression values are matched against. + + + + + Whether the comparison is case sensitive, default TRUE + + + + + + + + + + + A match function that evaluates a script to determine if some criteria is met. The script MUST return a + boolean. + + + + + + + + The script to evaluate to construct the attribute. + + + + + + The filesystem path to the script to evaluate to construct the attribute. + + + + + + + + The JSR-233 name for the scripting language that will be used. By default "javascript" is + supported. + + + + + + + The name of a bean defined somewhere else which will be injected into the script as an + object called "custom". If not supplied nothing is injected. + + + + + + + + + + + A match function that evaluates to true if the given attribute has as a number of values that falls + between the minimum and maximum. This method may be used as a sanity check to ensure that an unexpected + number of values did not come from the attribute resolver and be released. + + + + + + + The ID of the attribute whose value should be matched. + + + + + Minimum number of values an attribute may have. + + + + + Maximum number of values an attribute may have. + + + + + + + + + + + + A match function that checks if the attribute requester's metadata + contains an entity attribute with the specified value. + + + + + + + + + + + A match function that checks if a proxied requester's metadata + contains an entity attribute with the specified value. + + + + + + + + + + + A match function that checks if the attribute issuer's metadata + contains an entity attribute with the specified value. + + + + + + + + + + + + + The name of the entity attribute to match. + + + + + The value of the entity attribute to match. + + + + + The NameFormat of the entity attribute to match. + + + + + + Boolean attribute, whether to examine only mapped/decoded attributes, default is false. + + + + + + + + + + + A match function that checks if the attribute requester's metadata contains + an entity attribute with a value that matches the given regular expression. + + + + + + + + + + + A match function that checks if a proxied requester's metadata contains + an entity attribute with a value that matches the given regular expression. + + + + + + + + + + + A match function that checks if the attribute issuer's metadata contains + an entity attribute with a value that matches the given regular expression. + + + + + + + + + + + + + The name of the entity attribute to match. + + + + + The regular expression that must match the value of the entity attribute to + match. + + + + + The name format of the entity attribute to match. + + + + + + Boolean attribute, whether to examine only mapped/decoded attributes, default is false. + + + + + + + + + + + A match function that evaluates to true if the attribute requester supports a specified + NameID format. + + + + + + + + + + + A match function that evaluates to true if the attribute issuer supports a specified + NameID format. + + + + + + + + + + + + + The NameID format that needs to be supported by the entity. + + + + + + + + + + A match function that evaluates to true if the attribute requester is found in metadata and + is a member of the given entity group. + + + + + + + + + + + A match function that evaluates to true if a proxied requester is found in metadata and + is a member of the given entity group. + + + + + + + + + + + A match function that evaluates to true if the attribute issuer is found in metadata and + is a member of the given entity group. + + + + + + + + + + + + + The entity group ID that an entity must be in. + + + + + + Whether to check for membership in metadata-based AffiliationDescriptors. + + Defaults to false. + + + + + + + + + + + A match function that matches a requester's MDRPI against a list of potential values. + + + + + + + + + + + A match function that matches a proxied requester's MDRPI against a list of potential values. + + + + + + + + + + + A match function that matches the attribute issuer's MDRPI content against a list of potential values. + + + + + + + + + + + + + The string values to match. + + + + + + A boolean flag indicating whether a match should occur if the metadata does + not contain an MDRPI statement (coded) default is false. + + + + + + + + + + + A match function that ensures that an attribute value's scope matches a scope given in + metadata for the entity or role of the attribute issuer. + + + + + + + + + + + A match function that ensures that an attribute value's scope matches a scope given in + metadata for the entity or role of the attribute issuer. + + + + + + + + + + + A match function that evaluates to true if an attribute (or specific values) is specified by + the requesting entity's AttributeConsumingService SP metadata. + + It supports both explicit checking for a named SAML RequestedAttribute in metadata, or + comparison via the transcoding registry to compare the internal attribute form against + decoded objects produced from the metadata. This is the old "mapped" functionality + in V3 and is now collapsed into one matcher type. + + + + + + + + The ID of the attribute whose value should be matched. If no attribute ID is specified the + ID of the containing attribute rule is assumed. + + + + + + + A boolean flag indicating whether attributes noted as optional should match. + + + + + + + A boolean flag indicating whether a match should occur if (after mapping) + the metadata does not contain and Attributes. + + + + + + The name of a requested attribute to look for. + + + + + The name format of a requested attribute to look for. + + + + + + + + + + + + + + + + -- cgit v1.2.3