<afp:AttributeFilterPolicyGroup
    xmlns="urn:mace:shibboleth:2.0:afp:mf:basic"
    xmlns:saml="urn:mace:shibboleth:2.0:afp:mf:saml"
    xmlns:basic="urn:mace:shibboleth:2.0:afp:mf:basic"
    xmlns:afp="urn:mace:shibboleth:2.0:afp"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

    <!--
        SWITCHaai federation attribute policy configuration file
        Based on SWITCHaai Attribute Specification 1.6 from 2017-04-11
        Last update: 2018-07-04
    -->

    <!-- Shared rule for affiliation values. -->
    <afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
        <Rule xsi:type="AttributeValueString" value="faculty"/>
        <Rule xsi:type="AttributeValueString" value="student"/>
        <Rule xsi:type="AttributeValueString" value="staff"/>
        <Rule xsi:type="AttributeValueString" value="alum"/>
        <Rule xsi:type="AttributeValueString" value="member"/>
        <Rule xsi:type="AttributeValueString" value="affiliate"/>
        <!-- The value 'employee' is not allowed in SWITCHaai -->
        <!-- <Rule xsi:type="AttributeValueString" value="employee"/> -->
        <Rule xsi:type="AttributeValueString" value="library-walk-in"/>
    </afp:PermitValueRule>

    <!--
    Shared rule for all "scoped" attributes, but you'll have to manually apply it inside
    an AttributeRule for each attribute you want to check.
    -->
    <afp:PermitValueRule id="ScopingRules" xsi:type="AND">
        <Rule xsi:type="NOT">
            <Rule xsi:type="AttributeValueRegex" regex="@"/>
        </Rule>
        <Rule xsi:type="saml:AttributeScopeMatchesShibMDScope"/>
    </afp:PermitValueRule>

    <afp:AttributeFilterPolicy>
        <!-- This policy is in effect in all cases. -->
        <afp:PolicyRequirementRule xsi:type="ANY"/>

        <!-- Filter out undefined affiliations and ensure only one primary. -->
        <afp:AttributeRule attributeID="scoped-affiliation">
            <afp:PermitValueRule xsi:type="AND">
                <RuleReference ref="eduPersonAffiliationValues"/>
                <RuleReference ref="ScopingRules"/>
            </afp:PermitValueRule>
        </afp:AttributeRule>

        <afp:AttributeRule attributeID="affiliation">
            <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
        </afp:AttributeRule>

        <afp:AttributeRule attributeID="eduPersonUniqueId">
            <afp:PermitValueRuleReference ref="ScopingRules"/>
        </afp:AttributeRule>

        <afp:AttributeRule attributeID="primary-affiliation">
            <afp:PermitValueRuleReference ref="eduPersonAffiliationValues"/>
        </afp:AttributeRule>

        <afp:AttributeRule attributeID="principalName">
            <afp:PermitValueRuleReference ref="ScopingRules"/>
        </afp:AttributeRule>

        <afp:AttributeRule attributeID="uniqueID">
            <afp:PermitValueRuleReference ref="ScopingRules"/>
        </afp:AttributeRule>

        <!-- Regular expression filter for E-mail -->
        <afp:AttributeRule attributeID="mail">
            <afp:PermitValueRule xsi:type="basic:AttributeValueRegex" regex="^.+@.+$" />
        </afp:AttributeRule>

        <!-- Value filter for Home organization type -->
        <afp:AttributeRule attributeID="homeOrganizationType">
            <afp:PermitValueRule xsi:type="OR">
                 <Rule xsi:type="AttributeValueString" value="university"/>
                 <Rule xsi:type="AttributeValueString" value="uas"/>
                 <Rule xsi:type="AttributeValueString" value="hospital"/>
                 <Rule xsi:type="AttributeValueString" value="library"/>
                 <Rule xsi:type="AttributeValueString" value="tertiaryb"/>
                 <Rule xsi:type="AttributeValueString" value="uppersecondary"/>
                 <Rule xsi:type="AttributeValueString" value="vho"/>
                 <Rule xsi:type="AttributeValueString" value="others"/>
            </afp:PermitValueRule>
        </afp:AttributeRule>

        <!-- Regular expression filter for Study level -->
        <afp:AttributeRule attributeID="studyLevel">
            <afp:PermitValueRule xsi:type="basic:AttributeValueRegex" regex="^\d+\-\d+$" />
        </afp:AttributeRule>

        <!-- Regular expression filter for Staff category -->
        <afp:AttributeRule attributeID="staffCategory">
            <afp:PermitValueRule xsi:type="basic:AttributeValueRegex" regex="^\d+$" />
        </afp:AttributeRule>

        <!-- Regular expression filter for Matriculation number -->
        <afp:AttributeRule attributeID="matriculationNumber">
            <afp:PermitValueRule xsi:type="basic:AttributeValueRegex" regex="^\d{8}$" />
        </afp:AttributeRule>

        <!-- Regular expression filter for Date of birth -->
        <afp:AttributeRule attributeID="dateOfBirth">
            <afp:PermitValueRule xsi:type="basic:AttributeValueRegex" regex="^\d{8}$" />
        </afp:AttributeRule>

        <!-- Value filter for Gender -->
        <afp:AttributeRule attributeID="gender">
            <afp:PermitValueRule xsi:type="OR">
                 <Rule xsi:type="AttributeValueString" value="0"/>
                 <Rule xsi:type="AttributeValueString" value="1"/>
                 <Rule xsi:type="AttributeValueString" value="2"/>
                 <Rule xsi:type="AttributeValueString" value="9"/>
            </afp:PermitValueRule>
        </afp:AttributeRule>

        <!-- Regular expression filter for Study branch 1 -->
        <afp:AttributeRule attributeID="studyBranch1">
            <afp:PermitValueRule xsi:type="basic:AttributeValueRegex" regex="^\d+$" />
        </afp:AttributeRule>

        <!-- Regular expression filter for Study branch 2 -->
        <afp:AttributeRule attributeID="studyBranch2">
            <afp:PermitValueRule xsi:type="basic:AttributeValueRegex" regex="^\d+$" />
        </afp:AttributeRule>

        <!-- Regular expression filter for Study branch 3 -->
        <afp:AttributeRule attributeID="studyBranch3">
            <afp:PermitValueRule xsi:type="basic:AttributeValueRegex" regex="^\d+$" />
        </afp:AttributeRule>

        <!-- Regular expression filter for Card UID -->
        <afp:AttributeRule attributeID="cardUID">
            <afp:PermitValueRule xsi:type="basic:AttributeValueRegex" regex="^.+@.+$" />
        </afp:AttributeRule>

        <!-- Require NameQualifier/SPNameQualifier match IdP and SP entityID respectively. -->
        <afp:AttributeRule attributeID="persistent-id">
            <afp:PermitValueRule xsi:type="saml:NameIDQualifierString"/>
        </afp:AttributeRule>

        <!-- Enforce that the value of swissEduPersonHomeOrganization is a valid Scope. -->
        <afp:AttributeRule attributeID="swissEduPersonHomeOrganization">
            <afp:PermitValueRule xsi:type="saml:AttributeValueMatchesShibMDScope" />
        </afp:AttributeRule>

        <!-- Enforce that the value of schacHomeOrganization is a valid Scope. -->
        <afp:AttributeRule attributeID="schacHomeOrganization">
            <afp:PermitValueRule xsi:type="saml:AttributeValueMatchesShibMDScope"/>
        </afp:AttributeRule>

        <!-- SWITCHtoolbox group attribute filter to ensure that this attribute is only accepted from the SWITCHtoolbox -->
        <afp:AttributeRule attributeID="isMemberOf">
                <afp:PermitValueRule xsi:type="basic:AttributeIssuerString" value="https://toolbox.switch.ch/idp/shibboleth" />
        </afp:AttributeRule>

        <!-- Catch-all that passes everything else through unmolested. -->
        <afp:AttributeRule attributeID="*">
            <afp:PermitValueRule xsi:type="ANY"/>
        </afp:AttributeRule>

    </afp:AttributeFilterPolicy>

</afp:AttributeFilterPolicyGroup>
