A filter of type EntityAttributes adds or removes SAML entity attributes to the <mdattr:EntityAttributes> extension element in metadata in order to drive software behavior based on entity attributes.
...
The embedded entity attribute is defined by the urn:oasis:names:tc:SAML:2.0:assertion namespace, the schema for which can be located at http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd. The latter namespace is usually associated with the saml: prefix.
Attributes
None.
Child Elements
The first two are optional, mutually exclusive, and must appear first:
| Name | Description |
|---|---|
<AttributeFilterRef> 3.4 | Optional Bean ID of type Predicate |
| The content of this element is an inline or local script resource that implements Predicate<Attribute>, which is applied to all pre-existing extension attributes. Any entity attribute for which it evaluates false are removed prior to subsequent additions. |
Then, any of the following can be supplied in any order:
...
Add entity attributes to metadata
The following example adds the entity attribute "https://sp.example.org/tagname1" to entity "https://sp1.example.org", and both "https://sp.example.org/tagname1" and "https://sp.example.org/tagname2" to entity "https://sp2.example.org"
...
| Note | ||
|---|---|---|
| ||
| The remaining examples in this section require V3.4 or later. |
...
Remove entity attributes
...
from metadata
The following example uses entity attributes to override default signing operations during web browser SSO. See the MetadataDrivenConfiguration topic for additional examplesremoves unauthorized entity attributes from the input. The metadata filter uses an <AttributeFilterScript> to remove any and all entity attributes that might be used to subsequently configure a SAML protocol at runtime. It does this by matching on a common prefix of the overall set of Shibboleth profile URIs.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<MetadataFilter xsi:type="EntityAttributes"> <!-- remove unauthorized entity attributes --> By default, responses are signed<AttributeFilterScript> but assertions are not. This<Script> filter enables signing of both responses and assertions for<![CDATA[ select entities. For other entities, only assertions are signed. --> <MetadataFilter xsi:type="EntityAttributes"> // an implementation of Predicate<Attribute> // <!-- sign assertions --> <saml:Attribute Name="http://shibboleth.net/ns/profiles/saml2/sso/browser/signAssertions" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> // if the name of the entity attribute starts with <saml:AttributeValue xsi:type="xsd:boolean">true</saml:AttributeValue> <//saml:Attribute> a common prefix of the set of <!-- sign both responses and assertions for the following entity --> Shibboleth profile <Entity>https://sp.example1.org</Entity> <!-- do not sign responses --> URIs, the function returns false, which removes <saml:Attribute Name="http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xsd:boolean">false</saml:AttributeValue> </saml:Attribute>// the entity attribute from its entity descriptor // // the input argument is of type: // org.opensaml.saml.saml2.core.Attribute <!-- sign assertions but do// not sign responses for the following entities --> <Entity>https://sp.example2.org</Entity> <Entity>https://sp.example3.org</Entity> </MetadataFilter> |
Add an entity attribute that disables encryption
...
Once the <AttributeFilterScript> has completed its task, a <ConditionScript> adds the entity attribute (encryptAssertions) to a collection of entities specified by a Spring bean (customObjectRef="MyEntityCollection") defined elsewhere in the configuration. The collection is exposed to the script via a custom object of type Collection<String>. Each element of the collection is an entityID.
The script takes an argument of type Collection<String> (i.e., the custom object) and returns a function that implements Predicate<EntityDescriptor>. The resulting predicate is applied to the input object. The entity attribute is added to the entity descriptor if (and only if) the predicate evaluates to true.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<!-- By default, SAML assertions are encrypted. This filter disables encryption for select entities. --> <MetadataFilter xsi:type="EntityAttributes"> <!-- remove unauthorized entity attributes --> <AttributeFilterScript> <Script> <![CDATA[ // an implementation of Predicate<Attribute> // // if the name of the entity attribute starts with // a common prefix of the Shibboleth profile URIs, // the function returns false, which removes the // entity attribute from its entity descriptor // // the input argument is of type: // org.opensaml.saml.saml2.core.Attribute(function (attribute) { "use strict"; // Shibboleth profile URI prefix var prefix = "http://shibboleth.net/ns/profiles"; // check the parameter if (attribute === null) { return true; } // check a prefix of the attribute name return ! attribute.getName().startsWith(prefix); }(input)); ]]> </Script> </AttributeFilterScript> </MetadataFilter> |
| Note | ||
|---|---|---|
| ||
| An IdP that configures itself on-the-fly using entity attributes should include the previous filter in the overall sequence of filters. The previous filter should appear before any entity attributes are added by subsequent filters. OTOH, if the metadata source is completely trustworthy (e.g., a local metadata source), the previous filter is not necessary. See the MetadataDrivenConfiguration topic for more info. |
Add entity attributes that affect signing operations
The following example uses entity attributes to override default signing operations during web browser SSO.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<!-- By default, responses are signed but assertions are not. This filter enables signing of both responses and assertions for select entities. For other entities, only assertions are signed. --> <MetadataFilter xsi:type="EntityAttributes"> <!-- sign assertions --> <saml:Attribute Name="http://shibboleth.net/ns/profiles/saml2/sso/browser/signAssertions" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> //<saml:AttributeValue xsi:type="xsd:boolean">true</saml:AttributeValue> </saml:Attribute> (function (attribute) { <!-- sign both responses and assertions for the following entity --> "use strict";<Entity>https://sp.example1.org</Entity> <!-- do not sign responses --> <saml:Attribute Name="http://shibboleth.net/ns/profiles/saml2/sso/browser/ Shibboleth profile URI prefixsignResponses" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> var prefix = "http://shibboleth.net/ns/profiles"; <saml:AttributeValue xsi:type="xsd:boolean">false</saml:AttributeValue> </saml:Attribute> <!-- sign assertions but do not sign //responses checkfor the parameterfollowing entities --> <Entity>https://sp.example2.org</Entity> if (attribute === null) { return true; } // check a prefix of the attribute name return ! attribute.getName().startsWith(prefix); <Entity>https://sp.example3.org</Entity> </MetadataFilter> |
Add an entity attribute that disables encryption
The following example uses an entity attribute to disable encryption on a specific set of entities in the input. A <ConditionScript> adds the entity attribute (encryptAssertions) to a collection of entities specified by a Spring bean (customObjectRef="MyEntityCollection") defined elsewhere in the configuration. The collection is exposed to the script via a custom object of type Collection<String>. Each element of the collection is an entityID.
The script takes an argument of type Collection<String> (i.e., the custom object) and returns a function that implements Predicate<EntityDescriptor>. The resulting predicate is applied to the input object. The entity attribute is added to the entity descriptor if (and only if) the predicate evaluates to true.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<!-- By default, SAML assertions are }(input));encrypted. This filter disables encryption for ]]>select entities. --> </Script> </AttributeFilterScript><MetadataFilter xsi:type="EntityAttributes"> <!-- this particular entity attribute disables encryption --> <saml:Attribute Name="http://shibboleth.net/ns/profiles/encryptAssertions" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xsd:boolean">false</saml:AttributeValue> </saml:Attribute> <!-- add the entity attribute to a predefined collection of entities --> <ConditionScript customObjectRef="MyEntityCollection"> <Script> <![CDATA[ // this function takes a custom object of type Collection<String> // and returns an implementation of Predicate<EntityDescriptor>; // the predicate is then applied to the input object // // the custom argument is of type: // java.util.Collection<String> // // the input argument is of type: // org.opensaml.saml.saml2.metadata.EntityDescriptor // (function (entityIDs) { "use strict"; // return a trivial implementation of Predicate<EntityDescriptor> if (entityIDs === null) { return function (entity) { return false; }; } // return an implementation of Predicate<EntityDescriptor> // that depends on a custom object of type Collection<String> return function (entity) { if (entity === null) { return false; } return entityIDs.contains(entity.getEntityID()); }; }(custom))(input); ]]> </Script> </ConditionScript> </MetadataFilter> | ||||||
| Tip | ||||||
| ||||||
The <AttributeFilterScript> in the previous example is generally useful since it removes any and all entity attributes that configure a SAML protocol at runtime. It does this by matching on a common prefix of the overall set of Shibboleth profile URIs. |