Versions Compared

Old Version 16

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 17

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

The AttributeInMetadata type describes is a Matcher that which filters results based which filters results based upon any on <md:RequestedAttribute> elements in the metadata for the AttributeConsumingService for the request.  The elements within the request-indicated <md:AttributeConsumingService> in the SP's metadata. The parameterization controls

  • Whether the RequestedAttribute is mapped directly or not <md:RequestedAttribute> naming is applied directly or inferred from a rudimentary algorithm based on the IdP's attribute encoding rules (attributeName and attributeNameFormat)
  • What the The behavior is if the ACS has no requested Attributes. (when the metadata contains no <md:RequestedAttribute> elements (via matchIfMetadataSilent)
  • What the The behavior is with respect to the the isRequired XML attribute on the <md:RequestedAttribute> element (if any)
  • Whether this is a Matcher or a PolicyRule (via attributeID)
Note

The AttributeInMetadata type is a Matcher that consults <md:RequestedAttribute> elements in SP metadata.

For a PolicyRule that consults Entity Attributes (associated with the SAML2 Metadata Entity for the SP) use EntityAttributeExactMatch or EntityAttributeRegexMatch

Schema Name

The AttributeInMetadata type is defined by Value matching is purely string-based. Only string attribute values of the input attribute are inspected and they are compared with a string representation of each of the values in the RequestedAttribute. Only matching values are added to the Permit or Deny List.

Info
titleAttributeInMetadata or MappedAttributeInMetadata?

The AttributeInMetadata and MappedAttributeInMetadata matchers have significant overlap. In practice, use AttributeInMetadata if you need to base the rule on the SAML attribute naming, and MappedAttributeInMetadata if you need to compare non-string values or are concerned about the extra costs of constantly performing the indirection between the SAML naming in the metadata and the internal encoding rules in the IdP.

Schema Type and Location

The AttributeInMetadata type is defined in the urn:mace:shibboleth:2.0:afp:mf schema, namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd.Prior to release 3.2.0 the

The deprecated saml:SAMLAttributeInMetadata type is defined by defined in the urn:mace:shibboleth:2.0:afp:mf:saml schema namespace, the schema for which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-saml.xsd. Use of this namespace is deprecated, but is supported.

Reference

Attributes

NameTypeDefaultDescription
attributeNameStringoptionalIf this attribute is present, a RequestedAttribute with this name <md:RequestedAttribute> element with this Name is searched for. If absent this attribute is not present, then the attribute encoders associated with the (internal IdP ) Attribute under consideration are consulted and the first matching (format and name) RequestedAttribute based on NameFormat and Name) <md:equestedAttribute> is used.
attributeNameFormatStringoptional

If this attribute is present, provides additional filtering of the RequestedAttribute <md:RequestedAttribute> information, such that it will only be matched if one of the following conditions is true:

  • The value of attributeNameFormat attribute matches the value of the NameFormat XML attribute on the RequestedAttribute or
  • The NameFormat XML attribute is not present or
  • The value of the NameFormat XML attribute is urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

Use of the attributeNameFormat attribute is meaningless if attributeName is not present.

matchIfMetadataSilentbooleanBooleanfalseIf the value of this attribute is true , then all input values are returned if and only if the metadata contains no <md:RequestedAttribute> elements whatsoever. This attribute has no effect if the metadata contains one or more <md:RequestedAttribute> elements. information.
onlyIfRequiredbooleanBoolean

true (erroneously false in release prior to 3.2, see here)

If the value of this attribute is true , and the corresponding <md:RequestedAttribute> element element does not carry the specify isRequired="true" XML attribute , then no values are matched.
attributeIDStringoptionalIf this attribute is present, then this is a PolicyRule returning true if the Matcher, when applied to the attribute with this ID, matches any values. See AttributeValueString for an exmaple of how attributeID changes the meaning of a Matcher in a slightly less daunting environment.

Value matching is purely string based. Only string attribute values of the input attribute are inspected and they are compared with a string representation of each of the values in the RequestedAttribute. Only matching values are added to the Permit or Deny List.

Info
titleAttributeInMetadata or MappedAttributeInMetadata?
AttributeInMetadata and MappedAttributeInMetadata are both matchers with significant overlap. In practice, use AttributeInMetadata if you require to coerce the attributeName or attributeNameFormat and MappedAttributeInMetadata if you need to compare non-string values, or are concerned about the extra costs of constantly performing the lookup in the metadata
scenario.

Child Elements

None

Example 1

Code Block
languagexml
<PermitValueRule xsi:type="AttributeInMetadata" id="PermitRule" onlyIfRequired="true" matchIfMetadataSilent="true"/>

Example 2

Suppose an SP has the following requested attributes in metadata:

Code Block
languagexml
<md:RequestedAttribute FriendlyName="eduPersonPrincipalName"
   Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>

<md:RequestedAttribute FriendlyName="displayName"
   Name="urn:oid:2.16.840.1.113730.3.1.241"
   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>

<md:RequestedAttribute FriendlyName="mail"
   Name="urn:oid:0.9.2342.19200300.100.1.3"
   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>

Then an IdP with the following configuration will release the indicated wire attributes to the above SP :provided that they are configured with attribute encoders that match the SAML naming above.

Code Block
languagexml
<afp:AttributeFilterPolicy id="releaseEssentialAttributesToAnySP">

  <afp:PolicyRequirementRule xsi:type="basic:ANY"/>

  <!-- assuming ePPN is non-reassigned -->
  <afp:AttributeRule attributeID="eduPersonPrincipalName">
    <afp:PermitValueRule xsi:type="AttributeInMetadata"/>
  </afp:AttributeRule>

  <afp:AttributeRule attributeID="displayName">
    <afp:PermitValueRule xsi:type="AttributeInMetadata"/>
  </afp:AttributeRule>

  <afp:AttributeRule attributeID="email">
    <afp:PermitValueRule xsi:type="AttributeInMetadata"/>
  </afp:AttributeRule>

</afp:AttributeFilterPolicy>

Such an IdP will not release attributes to an SP unless the indicated requested attributes are in SP metadata.

Example 3

Example 2

Now suppose an SP has the following requested attributes in metadata:

Code Block
languagexml
<md:RequestedAttribute FriendlyName="metaSharedUserID"
   Name="http://example.org/attribute/metaSharedUserID"
   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>

<md:RequestedAttribute FriendlyName="metaPersonName"
   Name="http://example.org/attribute/metaPersonName"
   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>

<md:RequestedAttribute FriendlyName="metaEmailAddress"
   Name="http://example.org/attribute/metaEmailAddress"
   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>

Then two IdPs with the following configurations will release the indicated wire attributes to the above SP:

Code Block
languagexml
<afp:AttributeFilterPolicy id="mapAndReleaseEssentialAttributesToAnySP">

  <afp:PolicyRequirementRule xsi:type="ANY"/>

  <!-- assuming ePPN is non-reassigned -->
  <afp:AttributeRule attributeID="eduPersonPrincipalName">
    <afp:PermitValueRule xsi:type="AttributeInMetadata"
        attributeName="http://example.org/attribute/metaSharedUserID"
        attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
  </afp:AttributeRule>

  <afp:AttributeRule attributeID="displayName">
    <afp:PermitValueRule xsi:type="AttributeInMetadata"
        attributeName="http://example.org/attribute/metaPersonName"
        attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
  </afp:AttributeRule>

  <afp:AttributeRule attributeID="email">
    <afp:PermitValueRule xsi:type="AttributeInMetadata"
        attributeName="http://example.org/attribute/metaEmailAddress"
        attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
  </afp:AttributeRule>

</afp:AttributeFilterPolicy>
Code Block
languagexml
<afp:AttributeFilterPolicy id="mapAndReleaseEssentialAttributesToAnySP">

  <afp:PolicyRequirementRule xsi:type="ANY"/>

  <!--
assuming ePUId is non-reassigned by definition -->
  <afp:AttributeRule attributeID="eduPersonUniqueId">
    <afp:PermitValueRule xsi:type="AttributeInMetadata"
        attributeName="http://example.org/attribute/metaSharedUserID"
        attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
  </afp:AttributeRule>

  <afp:AttributeRule attributeID="givenName">
    <afp:PermitValueRule xsi:type="AttributeInMetadata"
        attributeName="http://example.org/attribute/metaPersonName"
        attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
  </afp:AttributeRule>

  <afp:AttributeRule attributeID="email">
    <afp:PermitValueRule xsi:type="AttributeInMetadata"
        attributeName="http://example.org/attribute/metaEmailAddress"
        attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
  </afp:AttributeRule>

</afp:AttributeFilterPolicy>

Note that both IdPs have an attribute release policy that relies on the same set of requested attributes, but the requested attributes are mapped to different wire attributes in each case.