...
If a particular entity descriptor contains no <md:SPSSODescriptor> child element, all role descriptors are removed. If the value of the removeRolelessEntityDescriptors attribute is true (which it is by default), the entity itself is removed as well.
In the unlikely event that no entity descriptor contains an <md:SPSSODescriptor> child element, then all entities are removed. If the value of the removeEmptyEntitiesDescriptors attribute is true (which it is by default), the parent <md:EntitiesDescriptor> element is removed as well. In other words, the entire metadata aggregate is filtered in this (extreme) case.
| Warning | ||
|---|---|---|
| ||
If you forget to configure a <RetainedRole> child element, the filter will retain no roles; that is, an empty <MetadataFilter> element of type EntityRoleWhiteList will remove all roles (and therefore all entities) from the input. This is probably not what you want to do. |