Namespace:urn:mace:shibboleth:2.0:metadata
Schema:http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
Overview
Localtabgroup |
---|
The EntityRoleWhiteList filter removes unwanted role descriptors from entity metadata. Depending on the size and composition of the input, metadata filtered in this way may have a significantly reduced memory footprint. The EntityRole filter removes unwanted role descriptors from entity metadata. Depending on the size and composition of the input, metadata filtered in this way may have a significantly reduced memory footprint. |
For example, suppose an IdP loads (and reloads) metadata from a remote HTTP source using a FileBackedHTTPMetadataProvider
. Since the IdP is focused on the <md:SPSSODescriptor>
elements in the metadata aggregate, all other role descriptors may be removed. See below for an explicit example.
Note |
---|
Filter order is important! This filter changes the content of the metadata and so a filter of this type should appear after any SignatureValidationFilter in the overall sequence of filters. |
...
Localtabgroup |
---|
Name | Type | Default | Description |
---|
removeRolelessEntityDescriptors | boolean | true | Controls whether to keep entity descriptors that contain no roles. Note: If false, the resulting output may not be schema-valid since an <md:EntityDescriptor> element must include at least one role descriptor child element. | removeEmptyEntitiesDescriptors | boolean | true | Controls whether to keep entities descriptors that contain no entity descriptors. Note: If false, the resulting output may not be schema-valid since an <md:EntitiesDescriptor> element must include at least one child element. |
Warning |
---|
Affiliation descriptors are removed by default | warningAn <md:EntityDescriptor> element that contains an <md:AffiliationDescriptor> child element is handled the same way as an <md:EntityDescriptor> element that contains no role descriptors. That is, if removeRolelessEntityDescriptors is true, both are filtered from the input. |
Name | Cardinality | Description |
---|
<RetainedRole> | 0 or more | The textual content is the XML QName of the role to be retained. Note that property replacement cannot be used on this element. |
Warning |
---|
Don't forget to configure a child element | warningIf you forget to configure a <RetainedRole> child element, the filter will retain no roles; that is, an empty <MetadataFilter> element of this type will remove all roles (and therefore all entities) from the input. This is probably not what you want. |
|
Examples
The following example retains all <md:SPSSODescriptor>
elements in the input:
...