...
Here's an example policy (more or less matching an example in the default file) that applies this tag test :
...
to a couple of attributes. A couple of subtle points here.
One is that this approach is really a purely "local" one because the IdP Attribute names are local/internal only. You might assume most people use similar conventions and you'd be right, but you can't expect that to be true universally, so it is not appropriate to ever try and use this kind of metadata tag outside of a scenario that does not involve control of the IdP. It's not a fix for the brokenness of the more general SAML <RequestedAttribute> metadata element, which is unusable for a variety of reasons.
Less critically, note that this policy example demonstrates an optimization in that it applies the tag check in the <AttributeRule>(s) and not up in the <PolicyRequirementRule>. This has the advantage of requiring less XML to express and is about the same or better in performance than running multiple policies. It's not as good for an attribute that might have 3-5 or more values, since that would force the cost of checking for the tag to be paid for each value.
| Code Block |
|---|
<AttributeFilterPolicy id="Per-Attribute-singleValued"> <PolicyRequirementRule xsi:type="ANY"/> <AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="EntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="urn:mace:osu.edu:shibboleth:attribute-def:FERPA" /> </PolicyRequirementRule> shibboleth.net/ns/attributes/releaseAllValues" attributeNamespace="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="eduPersonPrincipalName" /> </AttributeRule> <AttributeRule attributeID="eduPersonPrincipalName"> mail"> <PermitValueRule xsi:type="EntityAttributeExactMatch" attributeName="http://shibboleth.net/ns/attributes/releaseAllValues" attributeNamespace="urn:mace:osu.edu:shibboleth:attribute-release" attributeValue="eduPersonPrincipalNameoasis:names:tc:SAML:2.0:attrname-format:uri" attributeValue="mail" /> </AttributeRule> </AttributeFilterPolicy> |
Reference
| Bean ID | Type | Function |
|---|---|---|
| RelyingParty.MDDriven | RelyingPartyConfiguration | A template bean for use in defining metadata-driven RelyingParty overrides by hand |
| RelyingPartyByName.MDDriven | RelyingPartyConfiguration | A template bean for defining metadata-driven RelyingParty overrides based on matching by name |
| RelyingPartyByGroup.MDDriven | RelyingPartyConfiguration | A template bean for defining metadata-driven RelyingParty overrides based on matching by <EntitiesDescriptor> groups |
| RelyingPartyByTag.MDDriven | RelyingPartyConfiguration | A template bean for defining metadata-driven RelyingParty overrides based on matching <EntityAttributes> extension content |
Shibboleth.SSO.MDDriven | BrowserSSOProfileConfiguration | Default metadata-driven configuration for SAML 1.1 SSO profile |
| SAML1.AttributeQuery.MDDriven | AttributeQueryProfileConfiguration | Default metadata-driven configuration for SAML 1.1 Attribute Query profile |
| SAML1.ArtifactResolution.MDDriven | ArtifactResolutionProfileConfiguration | Default metadata-driven configuration for SAML 1.1 Artifact Resolution profile |
| SAML2.SSO.MDDriven | BrowserSSOProfileConfiguration | Default metadata-driven configuration for SAML 2.0 SSO profile |
| SAML2.ECP.MDDriven | ECPProfileConfiguration | Default metadata-driven configuration for SAML 2.0 Enhanced Client/Proxy profile |
| SAML2.Logout.MDDriven | Default metadata-driven configuration for SAML 2.0 Single Logout profile | |
| SAML2.AttributeQuery.MDDriven | AttributeQueryProfileConfiguration | Default metadata-driven configuration for SAML 2.0 Attribute Query profile |
| SAML2.ArtifactResolution.MDDriven | ArtifactResolutionProfileConfiguration | Default metadata-driven configuration for SAML 2.0 Artifact Resolution profile |
| Liberty.SSOS.MDDriven | SSOSProfileConfiguration | Default metadata-driven configuration for Liberty ID-WSF Delegated SSO profile |
| CAS.LoginConfiguration.MDDriven | LoginConfiguration | Default metadata-driven configuration for CAS login prototol |
| CAS.ProxyConfiguration.MDDriven | ProxyConfiguration | Default metadata-driven configuration for CAS proxy login protocol |
| CAS.ValidateConfiguration.MDDriven | ValidateConfiguration | Default metadata-driven configuration for CAS ticket validation protocol |
| shibboleth.DefaultMDProfileAliases | List<String> | A built-in list of alternate URL "prefixes" to property names, this is used to automate the generation of property tag names that apply to all profiles at the same time. |
| shibboleth.MDProfileAliases | List<String> | An optional user-supplied list of additional URL prefixes to support custom property tag names |
| shibboleth.MDDrivenStringProperty | StringConfigurationLookupStrategy | Parent bean for defining new lookup strategies for string settings |
| shibboleth.MDDrivenBoolProperty | BooleanConfigurationLookupStrategy | Parent bean for defining new lookup strategies for boolean settings |
| shibboleth.MDDrivenIntProperty | IntegerConfigurationLookupStrategy | Parent bean for defining new lookup strategies for integer settings |
| shibboleth.MDDrivenLongProperty | LongConfigurationLookupStrategy | Parent bean for defining new lookup strategies for long integer settings |
| shibboleth.MDDrivenDoubleProperty | DoubleConfigurationLookupStrategy | Parent bean for defining new lookup strategies for double settings |
| shibboleth.MDDrivenDurationProperty | DurationConfigurationLookupStrategy | Parent bean for defining new lookup strategies for Duration settings |
| shibboleth.MDDrivenListProperty | ListConfigurationLookupStrategy | Parent bean for defining new lookup strategies for List settings |
| shibboleth.MDDrivenSetProperty | SetConfigurationLookupStrategy | Parent bean for defining new lookup strategies for Set settings |
| shibboleth.MDDrivenBeanProperty | BeanConfigurationLookupStrategy | Parent bean for defining new lookup strategies for arbitrary Spring bean settings |