Versions Compared

Old Version 12

changes.mady.by.user trscavo@ncsa.illinois.edu

Saved on

compared with

New Version 13

changes.mady.by.user trscavo@ncsa.illinois.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

For example, suppose an IdP loads (and reloads) metadata from a remote HTTP source using a FileBackedHTTPMetadataProvider. Since the IdP is focused on the <md:SPSSODescriptor> elements in the metadata aggregate, all other role descriptors may be removed. See the Examples section for detailsbelow for an explicit example.

Note
titleFilter order is important!

This filter changes the content of the metadata and so a filter of type EntityRoleWhiteList should appear after any SignatureValidationFilter in the overall sequence of filters.

...

NameTypeDefaultDescription

removeRolelessEntityDescriptors

booleantrue

Controls whether to keep entity descriptors that contain no roles. Note: If this attribute is set to false, the resulting output may not be schema-valid since an <md:EntityDescriptor> element must include at least one role descriptor.

removeEmptyEntitiesDescriptors

booleantrueControls whether to keep entities descriptors that contain no entity descriptors. Note: If this attribute is set to false, the resulting output may not be schema-valid since an <md:EntitiesDescriptor> element must include at least one child element, either an <md:EntityDescriptor> element or an <md:EntitiesDescriptor> element.
Notewarning
titleHandling an affiliation descriptorAffiliation descriptors are removed by default
An <md:EntityDescriptor> element that contains an <md:AffiliationDescriptor> child element is treated in handled the same way as an <md:EntityDescriptor> element that contains no role descriptors. That is, if removeRolelessEntityDescriptors is true, both are filtered from the input.

Child Elements

NameCardinalityDescription

<RetainedRole>

0 or more

The textual content is the XML QName of the role to be retained.

Note that property replacement cannot be used on this element.

Warning
titleDon't forget to configure a child element
If you forget to configure a <RetainedRole> child element, the filter will retain no roles; that is, an empty <MetadataFilter> element of type EntityRoleWhiteList will remove all roles (and therefore all entities) from the input. This is probably not what you want to do.

Anchor
Examples
Examples
Examples

The following example retains all <md:SPSSODescriptor> elements in the input:

...

If the value of the removeEmptyEntitiesDescriptors attribute is true (which it is by default), any <md:EntitiesDescriptor> element that contains no child element, neither  neither an <md:EntityDescriptor> element nor an <md:EntitiesDescriptor> element, is  is removed as well.