A filter of type EntityAttributes
adds or removes SAML entity attributes to the <mdattr:EntityAttributes>
extension element in metadata or from metadata in order to drive software behavior based on entity attributes.
Tip | ||
---|---|---|
| ||
The EntityAttributes filter is typically used to add entity attributes to remote metadata at runtime. The filter is usually applied to an HTTP metadata provider such as the FileBackedHTTPMetadataProvider or the DynamicHTTPMetadataProvider . |
Contents
Table of Contents |
---|
...
is usually applied to an HTTP metadata provider such as the FileBackedHTTPMetadataProvider or the DynamicHTTPMetadataProvider . |
Contents
Table of Contents |
---|
The <mdattr:EntityAttributes>
extension element is a container for entity attributes. Syntactically, an entity attribute looks like an ordinary user attribute. For example:
Code Block | ||||
---|---|---|---|---|
| ||||
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Attribute Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes> |
In the previous example, the name and value of the entity attribute are http://macedir.org/entity-category
and http://refeds.org/category/research-and-scholarship
, respectively. Note that an entity attribute may be multi-valued.
To use the EntityAttributes
filter, sequences of <saml:Attribute>
elements are supplied as filter content. When a child element such as <Entity>
or <ConditionRef>
or <ConditionScript>
evaluates to true, the SAML attributes are applied to the corresponding entities as entity attributes. The software automatically adds or removes the parent <mdattr:EntityAttributes>
extension element as needed.
Note | ||
---|---|---|
| ||
This filter changes the content of the metadata and so a filter of type |
...
The <MetadataFilter>
element and the type EntityAttributes
are defined by the urn:mace:shibboleth:2.0:metadata
schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-metadata.xsd.
The The schema for the <mdattr:EntityAttributes>
extension element is defined by part of the OASIS SAML V2.0 Metadata Extension for Entity Attributes specification.
The embedded entity attribute is defined by the urn:oasis:names:tc:SAML:2.0:assertion
namespace, the schema for which can be located at http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd. The latter namespace is usually associated with the saml:
prefix.
Attributes
None.
Child Elements
The first two are optional, mutually exclusive, and must appear first:
Name | Description |
---|---|
<AttributeFilterRef> 3.4 | Optional Bean ID of type Predicate |
| The content of this element is an inline or local script resource that implements Predicate< Attribute> , which is applied to all pre-existing extension attributes. Any entity attribute for which it evaluates false are removed prior to subsequent additions. |
Then, any of the following can be supplied in any order:
...
Add entity attributes to metadata
The following example adds the entity attribute "https://sp.example.org/tagname1" to entity "https://sp1.example.org", and both "https://sp.example.org/tagname1" and "https://sp.example.org/tagname2" to entity "https://sp2.example.org"
...