The <RelyingParty>
element allows the SP to customize its behavior when it interacts with particular identity providers or groups of providers. By default, many properties are set globally to an application. This element allows them to be overridden. Individual options can be selectively overriden with within the <RelyingParty>
element.
Selection of an element is based on its Name
attribute, and can be named-based, or rely on an extensible matching mechanism called an EntityMatcher.
If the Name
attribute is present, then the matching process starts with the IdP's entityID
, and proceeds upwards through the IdP's Metadata matching against <EntitiesDescriptor>
group names that are found. The most specific match wins.
If the Name
attribute is not present, then a type
attribute must be used to indicate the type of EntityMatcher to apply, and other content will be required based on the type of matcher to specify how to match.
Code Block | ||||
---|---|---|---|---|
| ||||
<ApplicationDefaults ... authType="TLS" artifactEndpointIndex="1" signing="false" encryption="false" requireConfidentiality="true" requireTransportAuth="true" signedAssertions="false" chunkedEncoding="false" connectTimeout="15" timeout="30" > ... <RelyingParty Name="SpecialFederation" keyName="special.example.org"/> ... </ApplicationDefaults> |
Attributes
Name
(string)- Only permitted on
<RelyingParty>
child elementsFor name-based matching, this is the value used to match against the IdP'sentityID
or parent group names.
- Only permitted on
type
(string)- For extensible matching, specifies the type of EntityMatcher to use. Refer to the associated documentation for additional required content.
entityID
(URI)- Overrides the unique identifier used by the SP to identify itself when communicating with matching relying parties. Normally an SP should be able to use a single name in all its dealings, but this can provide some help when dealing with externally imposed limitations.
...