Shibboleth Developers

[Valery Tschopp <>]

Hi,

We have a problem with the ARP regexp matching function.

The arp.site.xml define a default set of anonymous attributes ever 
released (AnyTarget) and an extended set of attributes released only 
inside our domain (privacy problem). User

User's ARP are based on a template. And each user can choose (allow or 
deny) if he agree to release outside our domain.

How could we define the Resource matchFunction in the user ARP to define 
the rule 'target is not *.switch.ch' ?
There is no 'not-this-string' in regexp !?!

Or any other idea how to implement this case?


What we would like is something so:

site.ARP:
  rule: any target (only anonymous attributes)
     allow: uniqueID
     allow: homeOrganization
     allow: homeOrganizationType
     allow: affiliation

  rule: *.switch.ch (attributes released only inside *.switch.ch)
     allow: givenname
     allow: surname
     allow: email
     allow: phone
     allow: studyBranch1
     allow: studyBranch2
     allow: studyBranch3
     allow: studyLevel


user.template.ARP: (attributes released outside *.switch.ch)
   rule: not *.switch.ch
     allow: givenname
     allow: surname
     allow: email
     allow: phone


Based on the template, users can choose to allow or deny attribute 
release outside the switch.ch domain. Like so:

user.A.ARP: (all allowed)
   rule: not *.switch.ch
     allow: givenname
     allow: surname
     allow: email
     allow: phone


user.B.ARP: (mixed allow and deny)
   rule: not *.switch.ch
     allow: givenname
     allow: surname
      deny: email
      deny: phone

user.C.ARP: (all denied)
   rule: not *.switch.ch
      deny: givenname
      deny: surname
      deny: email
      deny: phone


-> user A attributes released outside switch.ch:
     { uniqueID,
       homeOrganization,
       homeOrganizationType,
       affiliation,
       givenname,
       surname,
       email,
       phone }

-> user B attributes released outside switch.ch:
     { uniqueID,
       homeOrganization,
       homeOrganizationType,
       affiliation,
       givenname,
       surname }

-> user C attributes released outside switch.ch:
     { uniqueID,
       homeOrganization,
       homeOrganizationType,
       affiliation }


There is certainly another way to implement the same, but up to now I 
didn't find it.

Any idea are welcome ^_^



Thanks in advance,
Valery

--
Valery Tschopp                            Software Engineer
SWITCH             The Swiss Education and Research Network
AAI                 Neumuehlequai 6             8001 Zurich
phone:+41 1 268 1515                
email: