By Mikkel Hald, 14/01/21
Some of the user attributes that WAYF supports passing on to services from user organisations have a very large value space and in many cases, only a rather small subset of the possible values are of relevance to the provider of the service.
One example is the isMemberOf attribute, whose values are all of the user's group memberships (typically, AD groups) within her organisation: Why allow a service receiving isMemberOf knowledge of other group memberships than the ones of relevance to her access to (particular content within) the service? Attributes eduPersonEntitlement, eduPersonScopedAffiliation are other examples. Learn more about them here.
To be able to limit what values a service will receive for a given attribute, WAYF now has developed a filtering mechanism: A simple value filtering string can be specified in metadata for each attribute a service receives; the WAYF hub will then pass on from user organisation to service only such attribute values as match the filter string. The syntax is simple: An incoming value must either match the entire string (example: abc), begin with it (abc*) or end in it (*abc). Asterisk thus is usable as a wildcard initially or finally in the filtering expression.
Value filters can be specified either in metadata for the receiving service (by the WAYF Secretariat) or in those for the sending user organisation (by the institution itself). In the latter case, the institution's administrator specifies, in mEdit, the service for which the filtering must apply, as well as the filter itself.
The filtering mechanism can, of course, also be used with attributes with small and fixed values spaces, e.g. eduPersonPrimaryAffilation. For instance, WAYF here has specified the filter 'student' in metadata for the Studiz service – allowing its provider to learn only whether the user is a student, not what other affiliations he might have.