Versions Compared

Version Old Version 18 New Version Current
Changes made by

Rod Widdowson

Rod Widdowson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Namespace:urn:mace:shibboleth:2.0:metadata
Schema:http://shibboleth.net/schema/idp/shibboleth-metadata.xsd

Table of Contents

Overview

...

Recall that the following EntityRoleWhiteList EntityRole filter retains all <md:SPSSODescriptor> elements in the input:

...

Code Block
languagexml
<MetadataFilter xsi:type="EntityRoleWhiteListEntityRole" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
    <RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>

The previous filter essentially filters all non-SP role descriptors from the input. At the end of that process, if an empty entity descriptor remains (because all of its roles have been removed), the entity itself is removed.

Unfortunately the EntityRoleWhiteList EntityRole filter may not handle affiliation descriptors as expected. Specifically, an <md:EntityDescriptor> element that contains an <md:AffiliationDescriptor> child element is handled in exactly the same way as an <md:EntityDescriptor> element that contains no role descriptors. That is, if removeRolelessEntityDescriptors is true (which it is by default), both are removed from the input.

A quick fix that preserves any affiliation descriptors in the input is to set removeRolelessEntityDescriptors to false on the EntityRoleWhiteList EntityRole filter. However, this also prevents truly “roleless” entity descriptors from being removed, which may have a negative impact on memory utilization. A workaround is to use both an EntityRoleWhiteList EntityRole filter and a Predicate filter, in sequence.

The following filter sequence is a complete replacement for the above EntityRoleWhiteListEntityRole filter:

Retain SP roles while preserving affiliation descriptors
Expand
titleRetain SP roles while preserving affiliation descriptors
Code Block
languagexml
<!-- retain SPs only but don’t remove “roleless” entity descriptors -->
<MetadataFilter xsi:type="EntityRoleWhiteListEntityRole" removeRolelessEntityDescriptors="false" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
    <RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>

<!-- clean up the mess made by the EntityRoleWhiteListEntityRole filter -->
<MetadataFilter xsi:type="Predicate" direction="exclude" removeEmptyEntitiesDescriptors="true">
    <ConditionScript>
        <Script>
        <![CDATA[
            // an implementation of Predicate<EntityDescriptor>
            //
            // if the predicate function returns true, the entity descriptor
            // is excluded from the output (since direction="exclude").
            //
            // the input argument is of type:
            // org.opensaml.saml.saml2.metadata.EntityDescriptor
            //
            (function (entity) {
                "use strict";

                // check the parameter
                if (entity === null) { return false; }

                // preserve an affiliation descriptor
                if (entity.getAffiliationDescriptor() !== null) { return false; }

                // exclude a "roleless" entity descriptor
                return entity.getRoleDescriptors() === null;
            }(input));
        ]]>
        </Script>
    </ConditionScript>
</MetadataFilter>

Note that removeRolelessEntityDescriptors is set to false on the EntityRoleWhiteList EntityRole filter, which runs first. The Predicate filter then removes the “roleless” entity descriptors from its input without disturbing the affiliation descriptors (if any).