Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Namespace:urn:mace:shibboleth:2.0:metadata
Schema:http://shibboleth.net/schema/idp/shibboleth-metadata.xsd

Table of Contents

Overview

...

This filter is typically used to add algorithm extensions to remote metadata at runtime. The filter is usually applied to an HTTP metadata provider such as the FileBackedHTTPMetadataProvider or the DynamicHTTPMetadataProvider, since locally-maintained metadata can generally be edited directly.

...

Note

It is unsafe and undefined to use Spring properties (%{foo}) in any of the content for this filter.

XML Elements

Name

Description

<alg:DigestMethod>

<alg:SigningMethod>

Elements added to the <md:Extensions> block in metadata of all the entities which match any of the following <Entity> / <ConditionRef> / <ConditionScript> elements

<md:EncryptionMethod>

Element added to every encryption-applicable <md:KeyDescriptor> in every role contained in the metadata of all the entities which match any of the following <Entity> / <ConditionRef> / <ConditionScript> elements

<Entity>

The textual content is an entityID. All preceding extensions are added to the matching entity.

<ConditionRef>

The textual content is the Bean ID of type Predicate<EntityDescriptor>. All preceding extensions are added to the entities for which this returns true.

<ConditionScript>

The content of this element is an inline or local script resource that implements Predicate<EntityDescriptor>. All preceding extensions are added to the entities for which this returns true.

Examples

Note

Note the examples assume a set of XML namespace declarations in the top of the configuration that match the new shipping defaults in this release.

...

Expand
titleApply AES-CBC to all SPs, GCM to a few
Code Block
languagexml
<MetadataFilter xsi:type="Algorithm">
	
	<!-- GCM-supporting SPs. -->
<MetadataFilter xsi:type="Algorithm">
    <md:EncryptionMethod Algorithm="http://www.w3.org/2009/xmlenc11#aes128-gcm" />
    <Entity>https://tested.example.org/sp</Entity>
    <Entity>https://also-tested.example.org/sp</Entity>
</MetadataFilter>

	<!-- Tag everything with CBC. -->
<MetadataFilter xsi:type="Algorithm">
	<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
	<ConditionRef>shibboleth.Conditions.TRUE</ConditionRef>

</MetadataFilter>

The second example is sensible for a smaller metadata source for which the bulk of the SPs are assumed to support GCM and/or can practically be tested prior to deployment to identify the exceptions. This is just a straightforward application of CBC to the non-supporting systems.

Expand
titleApply AES-CBC to Exceptions
Code Block
languagexml
<MetadataFilter xsi:type="Algorithm">
	
	<!-- CBC-only SPs. -->
	<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
    <Entity>https://broken.example.org/sp</Entity>
    <Entity>https://also-broken.example.org/sp</Entity>

</MetadataFilter>

The last example is a more comprehensive illustration of some of the fancier things that can be done.

...