1 260
szerkesztés
Módosítások
→Attribute Filtering: describing concepts, rephrasing
== Attribute Filtering ==
=== Concepts ===
At Home BE, Filtering normally gets its incoming attribute set from Conversion; at Remote BE, it gets incoming attributes from the other bridging element.
From a technical viewpoint, Attribute Filtering is just a Rule extension to Conversion, so you can use most of the features of Converter, especially regular expressions and matching conditions. One major difference is that '''only explicitly allowed attributes can pass through''', so you have to list all the attributes that you want to support in eduGAIN.
=== Allowing and denying attributes ===
Three main rules of the filtering framework:* # Default action is Deny to deny ALL Attributesattributes.* # You can allow/deny whole attributes or specific values of the attributes.* # The first rule decides. If you allowed something, you can not deny it laterand vice versa. So start with the special rules and leave the generic rules to the end.
There is one slight difference: in FilterRule, '''AttributeMatch is always evaluated on the original input attribute set'''. It means that you can reference attributes in conditions even if they were allowed or denied before. (This is what you would normally expect, though.)
You can allow or deny multiple attributes within one <code><FilterRule></code>. Note that the rule only applies if all the conditions within its <code><Condition></code> element evaluate to true.
=== Examples ===
<source lang="xml">
<?xml version="1.0" encoding="UTF-8"?>
<DenyAttribute attributeName="uid" />
<DenyAttribute attributeName="homeOrganization" />
<AllowAttribute attributeName="schacHomeOrganization" />
</FilterRule>
<LocalProviderMatch>^urn:.*\.hu$</LocalProviderMatch>
</Condition>
<AllowAttribute attributeNmeattributeName="eduPersonScopedEntitlementeduPersonEntitlement">
<AttributeValue>^.*@.*\.hu$</AttributeValue>
</AllowAttribute>
<AttributeMatch attributeName="homeOrganization">niif.hu</AttributeMatch>
</Condition>
<AllowAttribute attributeName="eduPersonScopedEntitlementeduPersonEntitlement">
<AttributeValue>^.*@niif\.hu$</AttributeValue>
</AllowAttribute>
</AttributeFilter>
</source>
== Integration ==