Commit 3c1fd147 authored by Sandro Mathys's avatar Sandro Mathys
Browse files

initial version

parent 8ce5bc2e
default:
tags:
- docker-host-linux
interruptible: true
image:
# using the debug image because GitLab CI requires a shell
name: gcr.io/kaniko-project/executor:debug
entrypoint: [""]
before_script:
- mkdir -p /kaniko/.docker
- echo "{\"auths\":{\"${CI_REGISTRY}\":{\"username\":\"${CI_REGISTRY_USER}\",\"password\":\"${CI_REGISTRY_PASSWORD}\"}}}" > /kaniko/.docker/config.json
stages:
- build
- push
build:
stage: build
script:
- /kaniko/executor --context "${CI_PROJECT_DIR}" --no-push
except:
variables:
- $CI_COMMIT_TAG
push:
stage: push
script:
- /kaniko/executor --context "${CI_PROJECT_DIR}" --destination "${CI_REGISTRY_IMAGE}:${CI_COMMIT_TAG}"
only:
variables:
- $CI_COMMIT_TAG
FROM cr.gitlab-int.switch.ch/maps/upstream-images/ubuntu:focal
ENV DEBIAN_FRONTEND=noninteractive
# https://pkg.switch.ch/switchaai/SWITCHaai-swdistrib.gpg
# https://packages.cloud.google.com/apt/doc/apt-key.gpg
COPY SWITCHaai-swdistrib.gpg kubernetes-archive-keyring.gpg /usr/share/keyrings/
# kubernetes does not currently support ubuntu focal :(
RUN echo "deb [signed-by=/usr/share/keyrings/SWITCHaai-swdistrib.gpg] http://pkg.switch.ch/switchaai/ubuntu focal main" > /etc/apt/sources.list.d/SWITCHaai-swdistrib.list; \
echo "deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" > /etc/apt/sources.list.d/kubernetes.list
# ca-certificates is required to access the kubernetes repo
RUN apt-get update; \
apt-get install -y --no-install-recommends ca-certificates; \
apt-get update; \
apt-get install -y --no-install-recommends apache2 shibboleth libapache2-mod-shib openssl kubectl; \
apt-get clean; \
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*; \
rm -rf /etc/apache2/conf-available; \
rm -rf /etc/apache2/conf-enabled; \
rm -rf /etc/apache2/mods-available; \
rm -rf /etc/apache2/mods-enabled; \
rm -rf /etc/apache2/sites-available; \
rm -rf /etc/apache2/sites-enabled; \
rm -rf /etc/apache2/apache2.conf; \
rm -rf /etc/apache2/ports.conf; \
rm -f /etc/shibboleth/attribute-map.xml; \
rm -f /etc/shibboleth/attribute-policy.xml; \
rm -f /etc/shibboleth/shibboleth2.xml; \
rm -f /etc/shibboleth/example-*; \
rm -f /etc/shibboleth/*.logger; \
rm -rf /var/log/*
RUN ln -sf /usr/lib/apache2/modules /etc/apache2/modules; \
ln -sf /dev/shm /etc/apache2/run
# https://www.switch.ch/aai/guides/sp/configuration/#setupprofile
# NOTE: attribute-map.xml was manually edited to include all "local attributes" (which are
# commented out in the donloaded file) and all attributes enabled by "edu-ID only" mode.
COPY attribute-map.xml attribute-policy.xml SWITCHaaiRootCA.crt.pem /etc/shibboleth/
-----BEGIN CERTIFICATE-----
MIIDnzCCAoegAwIBAgINSWITCHaai+Root+CAzANBgkqhkiG9w0BAQUFADBrMQsw
CQYDVQQGEwJDSDFAMD4GA1UEChM3U3dpdGNoIC0gVGVsZWluZm9ybWF0aWtkaWVu
c3RlIGZ1ZXIgTGVocmUgdW5kIEZvcnNjaHVuZzEaMBgGA1UEAxMRU1dJVENIYWFp
IFJvb3QgQ0EwHhcNMDgwNTE1MDYzMDAwWhcNMjgwNTE1MDYyOTU5WjBrMQswCQYD
VQQGEwJDSDFAMD4GA1UEChM3U3dpdGNoIC0gVGVsZWluZm9ybWF0aWtkaWVuc3Rl
IGZ1ZXIgTGVocmUgdW5kIEZvcnNjaHVuZzEaMBgGA1UEAxMRU1dJVENIYWFpIFJv
b3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDUSWbn/rhWew/s
LJRyciyRKDGyFXSgiDO/EohYuZLw6EAKLLlhZorNtEHQbbn0Oo13S33MclHMvGWT
KJM0u1hG+6gLy78EPmJbqAE1Uv23wVEH4SX0VJfl3JVqIebiAH/CjuLubgMUspDI
jOdQHNLS7pthTbm7Tgh7zMsiLPyMTZJep5CGbqv8NoK6bMaF0Z+Bt7e1JRlhHFCV
iJJaR/+hfpzLsJ8NWVivvrpRGaGJ1XR+9FGsTkjNdMCirNJJZ6XvUOe5w7pHSd9M
cppFP0eyLs02AMzMXI4iz6PK/w3EdzXGXpK+gSgvLxWYct4xHpv1e2NXhNgdJOSN
9ra/wJLVAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEG
MB0GA1UdDgQWBBTpmuIGWOsP14EDXVyXubG1k307hDANBgkqhkiG9w0BAQUFAAOC
AQEAMV/eIW6pFB+mbk7rD7hUPTWDRaoca3kHqmFGFnHfuY8+c0/Mqjh8Y/jyX1yb
f58crTSWrbyGbUZ3oxDGQ34tuZSkmeR32NqryiX3sP5qlNSozVguQKt8o4vhS1Qe
WPsXALs3em2pdKuIGSOpbuDnopPcmU2g5Zi2R5P7qpKDKAKtNUEwV+LW7GBMEksO
Nj7BFXk4AFBFBijaYJGgHmoKSImVgeNIvsV+BSv5HJ4q6vcxfnwuvvGHM0AGphYO
6f5qtHMUgvAblI8M/2QsBgethaGrirtKJ3aCRLdaR2R1QfaGRpck/Ron5/MpMxiJ
wLT8YlW/zjx2yNABhPSAjfzeMw==
-----END CERTIFICATE-----
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!--
SWITCHaai federation attribute map configuration file
Based on SWITCHaai Attribute Specification 1.6 from 2017-04-11
Last update: 2018-07-06
Earlier versions included the SAML1 attribute names in the
urn:mace namespace, this is no longer included in this version.
SAML2 attribute names use the urn:oid namespace only.
-->
<!--
Until version 2.5 the Shibboleth Service Provider supported the use
of attribute aliases that could be used to make an attribute available
under multiple names. However, this feature was deprecated in version
2.5. To use an alternative mechanism, please have a look at:
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeResolver
-->
<!-- New standard identifier attributes for SAML. -->
<Attribute name="urn:oasis:names:tc:SAML:attribute:subject-id" id="subject-id">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
<Attribute name="urn:oasis:names:tc:SAML:attribute:pairwise-id" id="pairwise-id">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
<!-- Legacy pairwise identifier attribute / NameID format, intended to be replaced
by the simpler pairwise-id attribute. -->
<!-- The eduPerson attribute version (eduPersonTargetedID, note the OID-style name): -->
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.10" id="persistent-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
</Attribute>
<!-- SAML 2.0 NameID Format: -->
<Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
<AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
</Attribute>
<!-- The following list is structured like the 'SWITCHaai Attributes' web page:
https://www.switch.ch/aai/support/documents/attributes/ -->
<!-- Core attributes -->
<!-- SWITCHaai Core Attributes -->
<!-- Affiliation -->
<!-- to maintain backwards compatibility in SWITCHaai, the id is
"affiliation" instead of "unscoped-affiliation" -->
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="affiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
<!-- E-mail -->
<Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
<!-- Given name -->
<Attribute name="urn:oid:2.5.4.42" id="givenName"/>
<!-- Home organization -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.4" id="homeOrganization">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
<!-- Home organization type -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.5" id="homeOrganizationType">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
<!-- Scoped affiliation -->
<!-- to maintain backwards compatibility in SWITCHaai, the id is
"scoped-affiliation" instead of "affiliation" -->
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="scoped-affiliation">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
<!-- Surname -->
<Attribute name="urn:oid:2.5.4.4" id="surname"/>
<!-- Targeted ID/Persistent ID -->
<!-- see above: Attribute Persistent ID (eduPersonTargetedID) -->
<!-- Unique ID -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.1" id="uniqueID">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
<!-- Interfederation Core Attributes -->
<!-- Common Name -->
<Attribute name="urn:oid:2.5.4.3" id="cn"/>
<!-- Display Name -->
<Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
<!-- eduPerson Unique ID -->
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" id="eduPersonUniqueId">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
<!-- Principal name -->
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="principalName">
<AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
</Attribute>
<!-- SCHAC home organization -->
<Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.9" id="schacHomeOrganization">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
<!-- SCHAC home organisation type -->
<Attribute name="urn:oid:1.3.6.1.4.1.25178.1.2.10" id="schacHomeOrganizationType">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
<!-- Other attributes -->
<!-- swissEduPerson, swissLibraryPerson, swissEduID Other attributes -->
<!-- Card UID -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.12" id="cardUID"/>
<!-- Date of birth -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.2" id="dateOfBirth"/>
<!-- Gender -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.3" id="gender"/>
<!-- Library Patron Affiliation -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.1023" id="swissLibraryPersonAffiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
<!-- Library Patron Residence -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.1025" id="swissLibraryPersonResidence">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
<!-- Matriculation number -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.11" id="matriculationNumber"/>
<!-- Staff category -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.10" id="staffCategory"/>
<!-- Study branch 1 -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.6" id="studyBranch1"/>
<!-- Study branch 2 -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.7" id="studyBranch2"/>
<!-- Study branch 3 -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.8" id="studyBranch3"/>
<!-- Study level -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.9" id="studyLevel"/>
<!-- Swiss edu-ID internal identifier -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.13" id="Swiss_edu-ID"/>
<!-- International Other Attributes -->
<!-- Assurance profile -->
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.11" id="assurance"/>
<!-- Business phone number -->
<Attribute name="urn:oid:2.5.4.20" id="telephoneNumber"/>
<!-- Business postal address -->
<Attribute name="urn:oid:2.5.4.16" id="postalAddress"/>
<!-- Employee number -->
<Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
<!-- Entitlement -->
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
<!-- Home postal address -->
<Attribute name="urn:oid:0.9.2342.19200300.100.1.39" id="homePostalAddress"/>
<!-- Member of -->
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" id="isMemberOf"/>
<!-- Mobile phone number -->
<Attribute name="urn:oid:0.9.2342.19200300.100.1.41" id="mobile"/>
<!-- Nick name -->
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.2" id="nickname"/>
<!-- ORCID identifier -->
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.16" id="orcid"/>
<!-- Organization path -->
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.3" id="org-dn"/>
<!-- Organizational unit -->
<Attribute name="urn:oid:2.5.4.11" id="ou"/>
<!-- Organizational unit path -->
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.4" id="orgunit-dn"/>
<!-- Preferred Language -->
<Attribute name="urn:oid:2.16.840.1.113730.3.1.39" id="preferredLanguage"/>
<!-- Primary affiliation -->
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
<AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
</Attribute>
<!-- Primary organizational unit -->
<Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.8" id="primary-orgunit-dn"/>
<!-- Private phone number -->
<Attribute name="urn:oid:0.9.2342.19200300.100.1.20" id="homePhone"/>
<!-- SSH Public Key -->
<Attribute name="urn:oid:1.3.6.1.4.1.24552.500.1.1.1.13" id="sshPublicKey"/>
<!-- User ID -->
<Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
<!-- Local attributes -->
<!-- enble the attributes that your SP is able to handle -->
<!-- Fernuni Imap Password -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.1024" id="fschImapPW"/>
<!-- FFHS user type -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.1022" id="UserType"/>
<!-- FHNW Abrechnungskostenstelle -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.1007" id="fhnwAbrKst"/>
<!-- FHNW detailed affiliation -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.1008" id="fhnwDetailedAffiliation"/>
<!-- FHNW IDPerson (Evento) -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.1009" id="fhnwIDPerson"/>
<!-- FHNW Organisationseinheit aus Metadirectory -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.1013" id="fhnwOeID"/>
<!-- FHNW SAP additional user information -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.1011" id="fhnwSapUserInfo"/>
<!-- FHNW SAP UserID -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.1010" id="fhnwSapUserID"/>
<!-- FHNW user principal name (ActiveDirectory) -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.1012" id="fhnwUPN"/>
<!-- Primary group ID -->
<Attribute name="urn:oid:1.3.6.1.4.1.7165.2.1.15" id="primaryGroupID"/>
<!-- SWITCH edu-ID Affiliation Profile -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.1028" id="swissEduIDAffiliationProfile"/>
<!-- SWITCH edu-ID Associated E-Mail -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.17" id="swissEduIDAssociatedMail"/>
<!-- SWITCH edu-ID Assurance Level -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.1027" id="swissEduIDAssuranceLevel"/>
<!-- SWITCH edu-ID Linked Affiliation -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.1029" id="swissEduIDLinkedAffiliation"/>
<!-- SWITCH edu-ID Linked Affiliation E-Mail -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.1031" id="swissEduIDLinkedAffiliationMail"/>
<!-- Swiss edu-ID Linked Affiliation Unique ID -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.1032" id="swissEduIDLinkedAffiliationUniqueID"/>
<!-- SWITCH edu-ID Active User -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.1026" id="swissEduIDUsage1y"/>
<!-- Uni Basel personal public id -->
<Attribute name="urn:oid:1.3.6.1.4.1.22865.10.1.1.93" id="unibasChPublicId"/>
<!-- Uni Basel specific roles -->
<Attribute name="urn:oid:1.3.6.1.4.1.22865.10.1.1.19" id="unibasChRoles"/>
<!-- UniBE Authorization attribute -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.1000" id="uniBEApplAuthorisation"/>
<!-- UniGE Organization unit code -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.1004" id="unigeOuCode"/>
<!-- UniL faculte principale -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.1006" id="unilFacultePrincipale"/>
<!-- UniL group membership -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.1003" id="unilMemberOf"/>
<!-- UZH SAP staff user ID -->
<Attribute name="urn:oid:1.3.6.1.4.1.11817.1.1.2.27" id="uzhSAPUserIdStaff"/>
<!-- UZH SAP user ID -->
<Attribute name="urn:oid:1.3.6.1.4.1.11817.1.1.2.13" id="uzhSAPUserId"/>
<!-- ZHAW Department Code -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.1015" id="zhawDepartmentCode"/>
<!-- ZHAW Institute Code -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.1016" id="zhawInstituteCode"/>
<!-- ZHAW Institute Name -->
<Attribute name="urn:oid:2.16.756.1.2.5.1.1.1017" id="zhawInstitute"/>
</Attributes>
<AttributeFilterPolicyGroup
xmlns="urn:mace:shibboleth:2.0:afp"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<!--
SWITCHaai federation attribute policy configuration file
Based on SWITCHaai Attribute Specification 1.6 from 2017-04-11
Last update: 2018-07-04
-->
<!-- Shared rule for affiliation values. -->
<PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
<Rule xsi:type="Value" value="faculty"/>
<Rule xsi:type="Value" value="student"/>
<Rule xsi:type="Value" value="staff"/>
<Rule xsi:type="Value" value="alum"/>
<Rule xsi:type="Value" value="member"/>
<Rule xsi:type="Value" value="affiliate"/>
<!-- The value 'employee' is not allowed in SWITCHaai -->
<!-- <Rule xsi:type="Value" value="employee"/> -->
<Rule xsi:type="Value" value="library-walk-in"/>
</PermitValueRule>
<!--
Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
an AttributeRule for each attribute you want to check.
-->
<PermitValueRule id="ScopingRules" xsi:type="AND">
<Rule xsi:type="NOT">
<Rule xsi:type="ValueRegex" regex="@"/>
</Rule>
<Rule xsi:type="ScopeMatchesShibMDScope"/>
</PermitValueRule>
<AttributeFilterPolicy>
<!-- This policy is in effect in all cases. -->
<PolicyRequirementRule xsi:type="ANY"/>
<!-- Filter out undefined affiliations and ensure only one primary. -->
<AttributeRule attributeID="scoped-affiliation">
<PermitValueRule xsi:type="AND">
<RuleReference ref="eduPersonAffiliationValues"/>
<RuleReference ref="ScopingRules"/>
</PermitValueRule>
</AttributeRule>
<AttributeRule attributeID="affiliation">
<PermitValueRuleReference ref="eduPersonAffiliationValues"/>
</AttributeRule>
<AttributeRule attributeID="eduPersonUniqueId">
<PermitValueRuleReference ref="ScopingRules"/>
</AttributeRule>
<AttributeRule attributeID="primary-affiliation">
<PermitValueRuleReference ref="eduPersonAffiliationValues"/>
</AttributeRule>
<AttributeRule attributeID="subject-id">
<PermitValueRuleReference ref="ScopingRules"/>
</AttributeRule>
<AttributeRule attributeID="pairwise-id">
<PermitValueRuleReference ref="ScopingRules"/>
</AttributeRule>
<AttributeRule attributeID="principalName">
<PermitValueRuleReference ref="ScopingRules"/>
</AttributeRule>
<AttributeRule attributeID="uniqueID">
<PermitValueRuleReference ref="ScopingRules"/>
</AttributeRule>
<!-- Regular expression filter for E-mail -->
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="ValueRegex" regex="^.+@.+$" />
</AttributeRule>
<!-- Value filter for Home organization type -->
<AttributeRule attributeID="homeOrganizationType">
<PermitValueRule xsi:type="OR">
<Rule xsi:type="Value" value="university"/>
<Rule xsi:type="Value" value="uas"/>
<Rule xsi:type="Value" value="hospital"/>
<Rule xsi:type="Value" value="library"/>
<Rule xsi:type="Value" value="tertiaryb"/>
<Rule xsi:type="Value" value="uppersecondary"/>
<Rule xsi:type="Value" value="vho"/>
<Rule xsi:type="Value" value="others"/>
</PermitValueRule>
</AttributeRule>
<!-- Regular expression filter for Study level -->
<AttributeRule attributeID="studyLevel">
<PermitValueRule xsi:type="ValueRegex" regex="^\d+\-\d+$" />
</AttributeRule>
<!-- Regular expression filter for Staff category -->
<AttributeRule attributeID="staffCategory">
<PermitValueRule xsi:type="ValueRegex" regex="^\d+$" />
</AttributeRule>
<!-- Regular expression filter for Matriculation number -->
<AttributeRule attributeID="matriculationNumber">
<PermitValueRule xsi:type="ValueRegex" regex="^\d{8}$" />
</AttributeRule>
<!-- Regular expression filter for Date of birth -->
<AttributeRule attributeID="dateOfBirth">
<PermitValueRule xsi:type="ValueRegex" regex="^\d{8}$" />
</AttributeRule>
<!-- Value filter for Gender -->
<AttributeRule attributeID="gender">
<PermitValueRule xsi:type="OR">
<Rule xsi:type="Value" value="0"/>
<Rule xsi:type="Value" value="1"/>
<Rule xsi:type="Value" value="2"/>
<Rule xsi:type="Value" value="9"/>
</PermitValueRule>
</AttributeRule>
<!-- Regular expression filter for Study branch 1 -->
<AttributeRule attributeID="studyBranch1">
<PermitValueRule xsi:type="ValueRegex" regex="^\d+$" />
</AttributeRule>
<!-- Regular expression filter for Study branch 2 -->
<AttributeRule attributeID="studyBranch2">
<PermitValueRule xsi:type="ValueRegex" regex="^\d+$" />
</AttributeRule>
<!-- Regular expression filter for Study branch 3 -->
<AttributeRule attributeID="studyBranch3">
<PermitValueRule xsi:type="ValueRegex" regex="^\d+$" />
</AttributeRule>
<!-- Regular expression filter for Card UID -->
<AttributeRule attributeID="cardUID">
<PermitValueRule xsi:type="ValueRegex" regex="^.+@.+$" />
</AttributeRule>
<!-- Require NameQualifier/SPNameQualifier match IdP and SP entityID respectively. -->
<AttributeRule attributeID="persistent-id">
<PermitValueRule xsi:type="NameIDQualifierString"/>
</AttributeRule>
<!-- Enforce that the value of swissEduPersonHomeOrganization is a valid Scope. -->
<AttributeRule attributeID="swissEduPersonHomeOrganization">
<PermitValueRule xsi:type="ValueMatchesShibMDScope" />
</AttributeRule>
<!-- Enforce that the values of schacHomeOrganization are a valid Scope. -->
<AttributeRule attributeID="schacHomeOrganization">
<PermitValueRule xsi:type="ValueMatchesShibMDScope" />
</AttributeRule>
<!-- Catch-all that passes everything else through unmolested. -->
<AttributeRule attributeID="*" permitAny="true"/>
</AttributeFilterPolicy>
</AttributeFilterPolicyGroup>
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment