...
To properly support the Anonymous Authorization Resource Access category, in addition to releasing those attributes permitted by the Anonymous Authorization category, an Identity Provider (IdP) must take care to block any user attribute not permitted by the Anonymous Authorization category from being released to an SP asserting this category unless bilateral arrangements are in place.
...
The following example illustrates a possible Anonymous Authorization category template for the Shibboleth Identity Provider’s attribute filter policy (attribute-filter.xml). This template permits the release of attributes defined in this category to the named SP entity while explicitly blocks user identifiers from being released:
| Code Block |
|---|
<AttributeFilterPolicy id="refedsAnonymousAuthorizationCategoryTemplate"> <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org"/> |