Versions Compared

Old Version 43

changes.mady.by.user trscavo@ncsa.illinois.edu

Saved on

compared with

New Version Current

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

A filter of type EntityAttributes adds or removes SAML entity attributes to or from metadata in order to drive software behavior.

...

The embedded entity attribute is defined by the urn:oasis:names:tc:SAML:2.0:assertion namespace, the schema for which can be located at http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd. The latter namespace is usually associated with the saml: prefix.

Attributes

None.

Child Elements

The first two are optional, mutually exclusive, and must appear first:

NameDescription
<AttributeFilterRef> 3.4

Optional Bean ID of type Predicate<Attribute>, this is applied to all pre-existing extension attributes and any for which it evaluates false are removed prior to subsequent additions

<AttributeFilterScript> 3.4

                                                       

The content of this element is an inline or local script resource that implements Predicate<Attribute>, which is applied to all pre-existing extension attributes. Any entity attribute for which it evaluates false are removed prior to subsequent additions.

Then, any of the following can be supplied in any order:

...

Add entity attributes to metadata

The following example adds the entity attribute "https://sp.example.org/tagname1" to entity "https://sp1.example.org", and both "https://sp.example.org/tagname1" and "https://sp.example.org/tagname2" to entity "https://sp2.example.org"

Code Block
languagexml
titleAdd entity attributes to metadata
collapsetrue
<MetadataFilter xsi:type="EntityAttributes" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Attribute Name="https://sp.example.org/tagname1">
        <saml:AttributeValue>foo</saml:AttributeValue>
    </saml:Attribute>
    <Entity>https://sp1.example.org</Entity>
    <saml:Attribute Name="https://sp.example.org/tagname2">
        <saml:AttributeValue>foo</saml:AttributeValue>
        <saml:AttributeValue>bar</saml:AttributeValue>
    </saml:Attribute>
    <Entity>https://sp2.example.org</Entity>
</MetadataFilter>

...

Code Block
languagexml
titleAdd entity attributes that affect signing operations
collapsetrue
<!-- 
    By default, responses are signed but assertions are not.
    This filter enables signing of both responses and assertions for select entities.
    For other entities, only assertions are signed.
-->
<MetadataFilter xsi:type="EntityAttributes" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">

    <!-- sign assertions -->
    <saml:Attribute Name="http://shibboleth.net/ns/profiles/saml2/sso/browser/signAssertions" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue xsi:type="xsd:boolean">true</saml:AttributeValue>
    </saml:Attribute>
  
    <!-- sign both responses and assertions for the following entity -->
    <Entity>https://sp.example1.org</Entity>
  
    <!-- do not sign responses -->
    <saml:Attribute Name="http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue xsi:type="xsd:boolean">false</saml:AttributeValue>
    </saml:Attribute>
  
    <!-- sign assertions but do not sign responses for the following entities -->
    <Entity>https://sp.example2.org</Entity>
    <Entity>https://sp.example3.org</Entity>

</MetadataFilter>

...

Code Block
languagexml
titleAdd an entity attribute that disables encryption
collapsetrue
<!-- 
    By default, SAML assertions are encrypted.
    This filter disables encryption for select entities.
-->
<MetadataFilter xsi:type="EntityAttributes" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">

    <!-- this particular entity attribute disables encryption -->
    <saml:Attribute Name="http://shibboleth.net/ns/profiles/encryptAssertions" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue xsi:type="xsd:boolean">false</saml:AttributeValue>
    </saml:Attribute>

    <!-- add the entity attribute to a predefined collection of entities -->
    <ConditionScript customObjectRef="MyEntityCollection">
        <Script>
        <![CDATA[
            // this function takes a custom object of type Collection<String>
            // and returns an implementation of Predicate<EntityDescriptor>;
            // the predicate is then applied to the input object
            //
            // the custom argument is of type:
            // java.util.Collection<String>
            //
            // the input argument is of type:
            // org.opensaml.saml.saml2.metadata.EntityDescriptor
            //
            (function (entityIDs) {
                "use strict";

                // return a trivial implementation of Predicate<EntityDescriptor>
                if (entityIDs === null) {
                    return function (entity) { return false; };
                }

                // return an implementation of Predicate<EntityDescriptor>
                // that depends on a custom object of type Collection<String>
                return function (entity) {
                    if (entity === null) { return false; }
                    return entityIDs.contains(entity.getEntityID());
                };
            }(custom))(input);
        ]]>
        </Script>
    </ConditionScript>
</MetadataFilter>