Keystone/trusted-attribute-issuing-policy

Trusted Attribute Issuing Policy for Federated Identity Providers
Only certain identity providers should be trusted to issue certain attributes, for example, a University might be able to issue a student number, but not a credit card number. In order to enforce this, we propose an API to allow administrators to set an issuing policy for an Identity Provider which denotes which attributes can be issued. Any attributes which violate the policy will be discarded before any attribute mapping takes place. There should be one policy per Identity Provider.

There are three ways in which an attribute can be treated in the policy.


 * The attribute can be omitted from the policy completely - if this attribute is received from this Identity Provider it will be discarded.
 * The attribute can be included with an empty list of values - any value of this attribute will be valid so if this attribute is present it will be preserved.
 * The attribute can be included with a list of one or more values - any values not specified will be stripped from the received attribute, if no values remain the attribute will be discarded, else the attribute will be preserved with the new list of values after stripping any unspecified values.