Módosítások

Attribute Conversion for eduGAIN

1 265 bájt hozzáadva, 2008. október 9., 08:28
Attribute Filtering: describing concepts, rephrasing
== Attribute Filtering ==
=== Concepts ===
At Home BE, Filtering normally gets its incoming attribute set from Conversion; at Remote BE, it gets incoming attributes from the other bridging element.
 
From a technical viewpoint, Attribute Filtering is just a Rule extension to Conversion, so you can use most of the features of Converter, especially regular expressions and matching conditions. One major difference is that '''only explicitly allowed attributes can pass through''', so you have to list all the attributes that you want to support in eduGAIN.
=== Concepts ===Filter uses name mappers in the same way as Converter. So you should define your attributes there before you start using 'friendly' attribute names here.
=== Allowing and denying attributes ===
Three main rules of the filtering framework:* # Default action is Deny to deny ALL Attributesattributes.* # You can allow/deny whole attributes or specific values of the attributes.* # The first rule decides. If you allowed something, you can not deny it laterand vice versa. So start with the special rules and leave the generic rules to the end.
Note You can allow an attribute by using <code><AllowAttribute></code> element and deny it with <code><DenyAttribute></code>. Each element can optionally have child elements <code><AttributeValue></code>, which means that attribute names are all flowed through the action is only performed on certain values of the attribute name mapping subsystem.
Here {{INFO_EN|An attribute is an exampleremoved from the set if its last value is removed. It means that it's not possible to pass through attributes without at least one value.}}=== Using conditions ===You can use the <code><Condition></code> node in a filter rule just like with converter. The syntax is the same. So if you omit the <code>Condition</code> element then the rule is evaluated unconditionally.
There is one slight difference: in FilterRule, '''AttributeMatch is always evaluated on the original input attribute set'''. It means that you can reference attributes in conditions even if they were allowed or denied before. (This is what you would normally expect, though.)
 
You can allow or deny multiple attributes within one <code><FilterRule></code>. Note that the rule only applies if all the conditions within its <code><Condition></code> element evaluate to true.
=== Examples ===
<source lang="xml">
<?xml version="1.0" encoding="UTF-8"?>
<DenyAttribute attributeName="uid" />
<DenyAttribute attributeName="homeOrganization" />
<AllowAttribute attributeName="schacHomeOrganization" />
</FilterRule>
<LocalProviderMatch>^urn:.*\.hu$</LocalProviderMatch>
</Condition>
<AllowAttribute attributeNmeattributeName="eduPersonScopedEntitlementeduPersonEntitlement">
<AttributeValue>^.*@.*\.hu$</AttributeValue>
</AllowAttribute>
<AttributeMatch attributeName="homeOrganization">niif.hu</AttributeMatch>
</Condition>
<AllowAttribute attributeName="eduPersonScopedEntitlementeduPersonEntitlement">
<AttributeValue>^.*@niif\.hu$</AttributeValue>
</AllowAttribute>
</AttributeFilter>
</source>
 
=== Using conditions ===
You can use the <Condition> node in the FilterRule. The syntax is the same as with the conversion rules, but there is one big difference: In a conversion rule, attribute matching is done on the current attribute set. So you can write a match to any attribute which is created before the specific rule which containes the match. '''In FilterRule, AttributeMatch is always done on the input attribute set - so you can match attributes which are either allowed or denied at the execution of the rule.'''
== Integration ==
A lap eredeti címe: „https://wiki.niif.hu/index.php?title=Speciális:MobileDiff/669

Navigációs menü