The EntityRoleWhiteList filter retains all entities that have at least one of the specified roles. Most commonly this is used to filter out entities that do not have an SP role, allowing the corresponding memory to be reclaimed filter removes unwanted role descriptors from entity metadata. Depending on the size and composition of the input, metadata filtered in this way may have a significantly reduced memory footprint.
For example, suppose an IdP loads (and reloads) metadata from a remote HTTP source using a FileBackedHTTPMetadataProvider. Since the IdP is focused on the <md:SPSSODescriptor> elements in the metadata aggregate, all other role descriptors may be removed. See the Examples section for details.
| Note | ||
|---|---|---|
| ||
This filter changes the content of the metadata and so a filter of type |
...
| Name | Cardinality | Description |
|---|---|---|
| 0 or more | The textual content is the XML QName of the role to be retained. Note that property replacement cannot be used on this element. |
Examples
The following example retains all <md:SPSSODescriptor> elements in the input:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<MetadataFilter xsi:type="EntityRoleWhiteList" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter> |
If a particular entity descriptor contains no <md:SPSSODescriptor> child element, all role descriptors are removed. If the value of the removeRolelessEntityDescriptors attribute is true (which it is by default), the entity itself is removed as well.
| Warning | ||
|---|---|---|
| ||
If you forget to configure at least one a <RetainedRole> child element, the filter will retain no entitiesroles; that is, an empty <MetadataFilter> element of type EntityRoleWhiteList will remove all roles (and therefore all entities) from the input. This is probably not what you want to do. |