Versions Compared

Old Version 5

changes.mady.by.user Rod Widdowson

Saved on

compared with

New Version 6

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The MappedAttributeInMetadata  type describes is a Matcher which filters results based upon any RequiredAttributes accociated with the Metadata for the AttributeConsumingService for the request.  In contrasts on <md:RequestedAttribute> elements within the request-indicated <md:AttributeConsumingService> in the SP's metadata.

In contrast to the saml:SAMLAttributeInMetadata  type, the attribute values attributes are compared as native IdP attribute objects and values.  That That is to say, when the SAML metadata is loaded, the RequestedAttributes are interrogated the <md:RequestedAttribute> elements are examined and the attribute encoding defined by the AttributeEncoders is reversed.  This means thatrules defined in the AttributeResolverConfiguration are reversed to dereference the SAML names back into internal IdP-assigned attribute IDs.

  • Any Attribute Value type can be compared (programmatically speaking the comparison is delegated to the implementation of the AttributeValue).
  • The cost of applying the mapping from RequestedAttributes from <md:RequestedAttribute> elements is encountered once, when the metadata is loaded (and that in a background thread) as opposed to being done every time the Matcher is encounteredevaluated.
  • All potential ID to Name mappings of the RequestedAttribute are available for comparison (rather than just the first one found which matches)

The parameterization controls:

  • What the The behavior is if the ACS has no requested Attributes. (when the metadata contains no <md:RequestedAttribute> elements (via matchIfMetadataSilent)
  • What the The behavior is with respect to the isRequired Attribute inside the RequestedAttributethe isRequired XML attribute
  • Whether this is a Matcher or a PolicyRule (via attributeID)
Note

The MappedAttributeInMetadata is a Matcher which consults RequestedAttributes.

For a PolicyRule which consults EntityAttributes (associated with the SAML2 Metadata Entity for the SP) use EntityAttributeExact or EntityAttributeRegex 

Schema Name

...

Info
titleAttributeInMetadata or MappedAttributeInMetadata?

The AttributeInMetadata and MappedAttributeInMetadata matchers have significant overlap. In practice, use AttributeInMetadata if you need to base the rule on the SAML attribute naming, and MappedAttributeInMetadata if you need to compare non-string values or are concerned about the extra costs of constantly performing the indirection between the SAML naming in the metadata and the internal encoding rules in the IdP.

Schema Type and Location

The MappedAttributeInMetadata type is defined in the urn:mace:shibboleth:2.0:afp namespace, the schema

...

for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd

...

The deprecated basic:AttributeRequesterRegex  type is defined by defined in the urn:mace:shibboleth:2.0:afp:mf:basic  namespace, the schema , for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-basic.xsd.Use of that namespace is deprecated, but is supported.

Reference

Attributes

Child Elements

None

...

NameTypeDefaultDescription
  
  
matchIfMetadataSilent
boolean
BooleanfalseIf true then all input values are returned if and only if the
Metadata for the ACS
metadata contains no
RequestedAttributes. This attribute has no effect if the ACS contains some RequestedAttributes
<md:RequestedAttribute> information.
onlyIfRequired
boolean
Booleantrue (erroneously false prior to 3.2, see here)If this is true and
RequestedAttribute
the corresponding <md:RequestedAttribute> element does not specify isRequired="true" , then no values are matched.
attributeID
StringoptionalIf this is present, then this is a PolicyRule returning true if the Matcher, when applied to the attribute with this ID, matches any values.
See AttributeValueString for an exmaple of how attributeID changes the meaning of a Matcher in a slightly less daunting
environment

 

As mentioned above, value matching is delegated to the AttributeValue implementation, allowing a wider level of comparison

...

titleAttributeInMetadata or MappedAttributeInMetadata?

...

scenario.

Child Elements

None

Example

The example presumes that an attribute internal to the IdP called "eduPersonPrincipalName" is encoded to a SAML name that may be reflected in an SP's metadata. Thus, you can see that the attribute rule makes no reference to the SAML name at all, but relies on the mapping machinery within the IdP to figure out what the corresponding SAML name happens to be, and any/all attributes that will be encoded to a matching SAML name are going to match for the purposes of this rule.

Code Block
languagexml
<AttributeRule attributeID="eduPersonPrincipalName">
	<PermitValueRule xsi:type="MappedAttributeInMetadata" id="PermitRule" onlyIfRequired="true" matchIfMetadataSilent="true"/>
</AttributeRule>