Versions Compared

Old Version 17

changes.mady.by.user Rod Widdowson

Saved on

compared with

New Version 18

changes.mady.by.user Rod Widdowson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Namespace:urn:mace:shibboleth:2.0:metadata
Schema:http://shibboleth.net/schema/idp/shibboleth-metadata.xsd

Table of Contents
minLevel1
maxLevel13

Overview

Localtabgroup
Localtab live
titleV4.0

The EntityRoleWhiteList filter removes unwanted role descriptors from entity metadata. Depending on the size and composition of the input, metadata filtered in this way may have a significantly reduced memory footprint.

Localtab live
activetrue
titleV4.1+

The EntityRole filter removes unwanted role descriptors from entity metadata. Depending on the size and composition of the input, metadata filtered in this way may have a significantly reduced memory footprint.

For example, suppose an IdP loads (and reloads) metadata from a remote HTTP source using a FileBackedHTTPMetadataProvider. Since the IdP is focused on the <md:SPSSODescriptor> elements in the metadata aggregate, all other role descriptors may be removed. See below for an explicit example.

Note

Filter order is important!

This filter changes the content of the metadata and so a filter of this type should appear after any SignatureValidationFilter in the overall sequence of filters.

...

Localtabgroup
Localtab live
titleXML Attributes

Name

Type

Default

Description

removeRolelessEntityDescriptors

boolean

true

Controls whether to keep entity descriptors that contain no roles. Note: If false, the resulting output may not be schema-valid since an <md:EntityDescriptor> element must include at least one role descriptor child element.

removeEmptyEntitiesDescriptors

boolean

true

Controls whether to keep entities descriptors that contain no entity descriptors. Note: If false, the resulting output may not be schema-valid since an <md:EntitiesDescriptor> element must include at least one child element.

Warning

Affiliation descriptors are removed by default

warning

An <md:EntityDescriptor> element that contains an <md:AffiliationDescriptor> child element is handled the same way as an <md:EntityDescriptor> element that contains no role descriptors. That is, if removeRolelessEntityDescriptors is true, both are filtered from the input.

Localtab live
titleXML Elements

Name

Cardinality

Description

<RetainedRole>

0 or more

The textual content is the XML QName of the role to be retained.

Note that property replacement cannot be used on this element.

Warning

Don't forget to configure a child element

warning

If you forget to configure a <RetainedRole> child element, the filter will retain no roles; that is, an empty <MetadataFilter> element of this type will remove all roles (and therefore all entities) from the input. This is probably not what you want.

Examples

The following example retains all <md:SPSSODescriptor> elements in the input:

...