Namespace:urn:mace:shibboleth:2.0:metadata
Schema:http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
Table of Contents |
---|
Overview
...
Recall that the following EntityRoleWhiteList
EntityRole filter retains all <md:SPSSODescriptor>
elements in the input:
...
Code Block | ||
---|---|---|
| ||
<MetadataFilter xsi:type="EntityRoleWhiteListEntityRole" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"> <RetainedRole>md:SPSSODescriptor</RetainedRole> </MetadataFilter> |
The previous filter essentially filters all non-SP role descriptors from the input. At the end of that process, if an empty entity descriptor remains (because all of its roles have been removed), the entity itself is removed.
Unfortunately the EntityRoleWhiteList
EntityRole
filter may not handle affiliation descriptors as expected. Specifically, an <md:EntityDescriptor>
element that contains an <md:AffiliationDescriptor>
child element is handled in exactly the same way as an <md:EntityDescriptor>
element that contains no role descriptors. That is, if removeRolelessEntityDescriptors
is true (which it is by default), both are removed from the input.
A quick fix that preserves any affiliation descriptors in the input is to set removeRolelessEntityDescriptors
to false on the EntityRoleWhiteList
EntityRole
filter. However, this also prevents truly “roleless” entity descriptors from being removed, which may have a negative impact on memory utilization. A workaround is to use both an EntityRoleWhiteList
EntityRole
filter and a Predicate
filter, in sequence.
The following filter sequence is a complete replacement for the above EntityRoleWhiteList
EntityRole
filter:
Retain SP roles while preserving affiliation descriptors
Expand | |||||
---|---|---|---|---|---|
| |||||
|
Note that removeRolelessEntityDescriptors
is set to false on the EntityRoleWhiteList
EntityRole
filter, which runs first. The Predicate
filter then removes the “roleless” entity descriptors from its input without disturbing the affiliation descriptors (if any).