Shibboleth Developers

["Oleksandr Otenko" <>]

Can you try to see if the user specifies "*" target, will the allow for 
"*.switch.ch" take precedence. E.g. user specifies:
 user.B.ARP: (mixed allow and deny)
    rule: not *.switch.ch
      allow: givenname
      allow: surname
       deny: email
       deny: phone

And there is a ARP:
   rule: *.switch.ch (attributes released only inside *.switch.ch)
      allow: givenname
      allow: surname
      allow: email
      allow: phone
      allow: studyBranch1
      allow: studyBranch2
      allow: studyBranch3
      allow: studyLevel

Will a "more specific" target domain rule (specific domain name, not 
"any") override less specific rule?


Sassa

Valery Tschopp wrote:

> Hi,
>
> We have a problem with the ARP regexp matching function.
>
> The arp.site.xml define a default set of anonymous attributes ever 
> released (AnyTarget) and an extended set of attributes released only 
> inside our domain (privacy problem). User
>
> User's ARP are based on a template. And each user can choose (allow or 
> deny) if he agree to release outside our domain.
>
> How could we define the Resource matchFunction in the user ARP to define 
> the rule 'target is not *.switch.ch' ?
> There is no 'not-this-string' in regexp !?!
>
> Or any other idea how to implement this case?
>
>
> What we would like is something so:
>
> site.ARP:
>   rule: any target (only anonymous attributes)
>      allow: uniqueID
>      allow: homeOrganization
>      allow: homeOrganizationType
>      allow: affiliation
>
>   rule: *.switch.ch (attributes released only inside *.switch.ch)
>      allow: givenname
>      allow: surname
>      allow: email
>      allow: phone
>      allow: studyBranch1
>      allow: studyBranch2
>      allow: studyBranch3
>      allow: studyLevel
>
>
> user.template.ARP: (attributes released outside *.switch.ch)
>    rule: not *.switch.ch
>      allow: givenname
>      allow: surname
>      allow: email
>      allow: phone
>
>
> Based on the template, users can choose to allow or deny attribute 
> release outside the switch.ch domain. Like so:
>
> user.A.ARP: (all allowed)
>    rule: not *.switch.ch
>      allow: givenname
>      allow: surname
>      allow: email
>      allow: phone
>
>
> user.B.ARP: (mixed allow and deny)
>    rule: not *.switch.ch
>      allow: givenname
>      allow: surname
>       deny: email
>       deny: phone
>
> user.C.ARP: (all denied)
>    rule: not *.switch.ch
>       deny: givenname
>       deny: surname
>       deny: email
>       deny: phone
>
>
> -> user A attributes released outside switch.ch:
>      { uniqueID,
>        homeOrganization,
>        homeOrganizationType,
>        affiliation,
>        givenname,
>        surname,
>        email,
>        phone }
>
> -> user B attributes released outside switch.ch:
>      { uniqueID,
>        homeOrganization,
>        homeOrganizationType,
>        affiliation,
>        givenname,
>        surname }
>
> -> user C attributes released outside switch.ch:
>      { uniqueID,
>        homeOrganization,
>        homeOrganizationType,
>        affiliation }
>
>
> There is certainly another way to implement the same, but up to now I 
> didn't find it.
>
> Any idea are welcome ^_^
>
>
>
> Thanks in advance,
> Valery