A filter of type EntityAttributes adds or removes SAML entity attributes to the <mdattr:EntityAttributes> extension element in metadata in or from metadata in order to drive software behavior based on entity attributes..
| Tip | ||
|---|---|---|
| ||
The EntityAttributes filter is typically used to add entity attributes to remote metadata at runtime. The filter is usually applied to an HTTP metadata provider such as the FileBackedHTTPMetadataProvider or the DynamicHTTPMetadataProvider. |
Contents
| Table of Contents |
|---|
Sequences of <saml:Attribute> elements are supplied as filter content. When a child element such as <Entity> or <ConditionRef> or <ConditionScript> evaluates to true, the SAML attributes are applied to the corresponding entities as entity attributes.
| Note | ||
|---|---|---|
| ||
This filter changes the content of the metadata and so a filter of type |
| Tip | ||
|---|---|---|
| ||
Deliberately position an EntityAttributes filter in the overall sequence of filters for optimal efficiency. In particular, a filter of type EntityAttributes should appear after the EntityRoleWhiteListFilter since the latter effectively removes entities from the input. |
As of V3.4, an inbound attribute filtering feature (<AttributeFilterRef> or <AttributeFilterScript>) allows existing entity attributes to be removed prior to performing any additions. This allows locally applied tags to be blocked from use by external metadata sources, which prevents misuse.
Schema
The <MetadataFilter> element and the type EntityAttributes are defined by the urn:mace:shibboleth:2.0:metadata schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-metadata.xsd.
The <mdattr:EntityAttributes> extension element is defined by the OASIS SAML V2.0 Metadata Extension for Entity Attributes specification.
The embedded entity attribute is defined by the urn:oasis:names:tc:SAML:2.0:assertion namespace, the schema for which can be located at http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd. The latter namespace is usually associated with the saml: prefix.
Attributes
None.
Child Elements
The first two are optional, mutually exclusive, and must appear first:
...
Optional Bean ID of type Predicate<Attribute>, this is applied to all pre-existing extension attributes and any for which it evaluates false are removed prior to subsequent additions
...
<AttributeFilterScript> 3.4
...
Then, any of the following can be supplied in any order:
...
The textual content is the Bean ID of type Predicate<EntityDescriptor>. All preceding attributes are added to the entities for which this returns true.
...
The content of this element is an inline or local script resource that implements Predicate<EntityDescriptor>. All preceding attributes are added to the entities for which this returns true.
Examples
Add entity attributes to metadata
The following example adds the entity attribute "https://sp.example.org/tagname1" to entity "https://sp1.example.org", and both "https://sp.example.org/tagname1" and "https://sp.example.org/tagname2" to entity "https://sp2.example.org"
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<MetadataFilter xsi:type="EntityAttributes">
<saml:Attribute Name="https://sp.example.org/tagname1">
<saml:AttributeValue>foo</saml:AttributeValue>
</saml:Attribute>
<Entity>https://sp1.example.org</Entity>
<saml:Attribute Name="https://sp.example.org/tagname2">
<saml:AttributeValue>foo</saml:AttributeValue>
<saml:AttributeValue>bar</saml:AttributeValue>
</saml:Attribute>
<Entity>https://sp2.example.org</Entity>
</MetadataFilter> |
| Note | ||
|---|---|---|
| ||
| The remaining examples in this section require V3.4 or later. |
Add entity attributes that affect signing operations
The following example uses entity attributes to override default signing operations during web browser SSO. See the MetadataDrivenConfiguration topic for additional examples.
...
| language | xml |
|---|---|
| title | Add entity attributes that affect signing operations |
| collapse | true |
...
The <mdattr:EntityAttributes> extension element is a container for entity attributes. Syntactically, an entity attribute looks like an ordinary user attribute. For example:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Attribute Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes> |
In the previous example, the name and value of the entity attribute are http://macedir.org/entity-category and http://refeds.org/category/research-and-scholarship, respectively. Note that an entity attribute may be multi-valued.
To use the EntityAttributes filter, sequences of <saml:Attribute> elements are supplied as filter content. When a child element such as <Entity> or <ConditionRef> or <ConditionScript> evaluates to true, the SAML attributes are applied to the corresponding entities as entity attributes. The software automatically adds or removes the parent <mdattr:EntityAttributes> extension element as needed.
| Note | ||
|---|---|---|
| ||
This filter changes the content of the metadata and so a filter of type |
| Tip | ||
|---|---|---|
| ||
Deliberately position an EntityAttributes filter in the overall sequence of filters for optimal efficiency. In particular, a filter of type EntityAttributes should appear after the EntityRoleWhiteListFilter since the latter effectively removes entities from the input. |
As of V3.4, an inbound attribute filtering feature (<AttributeFilterRef> or <AttributeFilterScript>) allows existing entity attributes to be removed prior to performing any additions. This allows locally applied tags to be blocked from use by external metadata sources, which prevents misuse.
Schema
The <MetadataFilter> element and the type EntityAttributes are defined by the urn:mace:shibboleth:2.0:metadata schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-metadata.xsd.
The schema for the <mdattr:EntityAttributes> extension element is part of the OASIS SAML V2.0 Metadata Extension for Entity Attributes specification.
The embedded entity attribute is defined by the urn:oasis:names:tc:SAML:2.0:assertion namespace, the schema for which can be located at http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd. The latter namespace is usually associated with the saml: prefix.
Attributes
None.
Child Elements
The first two are optional, mutually exclusive, and must appear first:
| Name | Description |
|---|---|
<AttributeFilterRef> 3.4 | Optional Bean ID of type Predicate |
| The content of this element is an inline or local script resource that implements Predicate<Attribute>, which is applied to all pre-existing extension attributes. Any entity attribute for which it evaluates false are removed prior to subsequent additions. |
Then, any of the following can be supplied in any order:
| Name | Description |
|---|---|
<saml:Attribute> | An attribute which is added to all the entities which match any of the following <Entity> or <ConditionRef> elements |
<Entity> | The textual content is an entityID. All preceding attributes are added to the entity with this ID. |
<ConditionRef> | The textual content is the Bean ID of type Predicate |
<ConditionScript> 3.4 | The content of this element is an inline or local script resource that implements Predicate |
Examples
Add entity attributes to metadata
The following example adds the entity attribute "https://sp.example.org/tagname1" to entity "https://sp1.example.org", and both "https://sp.example.org/tagname1" and "https://sp.example.org/tagname2" to entity "https://sp2.example.org"
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<MetadataFilter xsi:type="EntityAttributes" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Attribute Name="https://sp.example.org/tagname1">
<saml:AttributeValue>foo</saml:AttributeValue>
</saml:Attribute>
<Entity>https://sp1.example.org</Entity>
<saml:Attribute Name="https://sp.example.org/tagname2">
<saml:AttributeValue>foo</saml:AttributeValue>
<saml:AttributeValue>bar</saml:AttributeValue>
</saml:Attribute>
<Entity>https://sp2.example.org</Entity>
</MetadataFilter> |
| Note | ||
|---|---|---|
| ||
| The remaining examples in this section require V3.4 or later. |
Remove entity attributes from metadata
The following example removes unauthorized entity attributes from the input. The metadata filter uses an <AttributeFilterScript> to remove any and all entity attributes that might be used to subsequently configure a SAML protocol at runtime. It does this by matching on a common prefix of the overall set of Shibboleth profile URIs.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<MetadataFilter xsi:type="EntityAttributes"> <!-- doremove notunauthorized signentity responsesattributes --> <AttributeFilterScript> <saml:Attribute Name="http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <Script> <saml:AttributeValue xsi:type="xsd:boolean">false</saml:AttributeValue> </saml:Attribute>![CDATA[ <!-- sign assertions but do not// signan responsesimplementation forof thePredicate<Attribute> following entities --> <Entity>https://sp.example2.org</Entity> <Entity>https://sp.example3.org</Entity> </MetadataFilter> |
Add an entity attribute that disables encryption
...
Once the <AttributeFilterScript> has completed its task, a <ConditionScript> adds the entity attribute (encryptAssertions) to a collection of entities specified by a Spring bean (customObjectRef="MyEntityCollection") defined elsewhere in the configuration. The collection is exposed to the script via a custom object of type Collection<String>. Each element of the collection is an entityID.
The script takes an argument of type Collection<String> (i.e., the custom object) and returns a function that implements Predicate<EntityDescriptor>. The resulting predicate is applied to the input object. The entity attribute is added to the entity descriptor if (and only if) the predicate evaluates to true.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<!-- By default, SAML assertions are encrypted. This filter disables encryption for select entities. --> <MetadataFilter xsi:type="EntityAttributes"> <!-- remove unauthorized entity attributes --> <AttributeFilterScript>// // if the name of the entity attribute starts with // a common prefix of the set of Shibboleth profile // URIs, the function returns false, which removes // the entity attribute from its entity descriptor // // the input argument is of type: // org.opensaml.saml.saml2.core.Attribute // (function (attribute) { "use strict"; // Shibboleth <Script>profile URI prefix <![CDATA[ var prefix = // an implementation of Predicate<Attribute>"http://shibboleth.net/ns/profiles"; // check the parameter // if the name of the entity attribute starts with (attribute === null) { return true; } // check a common prefix of the Shibbolethattribute profilename URIs, // the function returnsreturn false, which removes the! attribute.getName().startsWith(prefix); // entity attribute from its entity descriptor}(input)); ]]> <//Script> </AttributeFilterScript> // the input argument is of type: // org.opensaml.saml.saml2.core.Attribute </MetadataFilter> |
| Note | ||
|---|---|---|
| ||
| An IdP that configures itself on-the-fly using entity attributes should include the previous filter in the overall sequence of filters. The previous filter should appear before any entity attributes are added by subsequent filters. OTOH, if the metadata source is completely trustworthy (e.g., a local metadata source), the previous filter is not necessary. See the MetadataDrivenConfiguration topic for more info. |
Add entity attributes that affect signing operations
The following example uses entity attributes to override default signing operations during web browser SSO.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<!-- //By default, responses are signed but assertions are not. (function (attribute) { This filter enables signing of both responses and assertions for select entities. For other entities, "use strict"; only assertions are signed. --> <MetadataFilter xsi:type="EntityAttributes" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> // Shibboleth profile URI prefix <!-- sign assertions --> <saml:Attribute Name="http://shibboleth.net/ns/profiles/saml2/sso/browser/signAssertions" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xsd:boolean">true</saml:AttributeValue> </saml:Attribute> var prefix = "http://shibboleth.net/ns/profiles"; // check the parameter if (attribute === null) { return true; } // check a prefix of the attribute name return ! attribute.getName().startsWith(prefix); }(input)); ]]> </Script> </AttributeFilterScript> <!-- sign both responses and assertions for the following entity --> <Entity>https://sp.example1.org</Entity> <!-- do not sign responses --> <saml:Attribute Name="http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue xsi:type="xsd:boolean">false</saml:AttributeValue> </saml:Attribute> <!-- sign assertions but do not sign responses for the following entities --> <Entity>https://sp.example2.org</Entity> <Entity>https://sp.example3.org</Entity> </MetadataFilter> |
Add an entity attribute that disables encryption
The following example uses an entity attribute to disable encryption on a specific set of entities in the input. A <ConditionScript> adds the entity attribute (encryptAssertions) to a collection of entities specified by a Spring bean (customObjectRef="MyEntityCollection") defined elsewhere in the configuration. The collection is exposed to the script via a custom object of type Collection<String>. Each element of the collection is an entityID.
The script takes an argument of type Collection<String> (i.e., the custom object) and returns a function that implements Predicate<EntityDescriptor>. The resulting predicate is applied to the input object. The entity attribute is added to the entity descriptor if (and only if) the predicate evaluates to true.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<!--
By default, SAML assertions are encrypted.
This filter disables encryption for select entities.
-->
<MetadataFilter xsi:type="EntityAttributes" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<!-- this particular entity attribute disables encryption -->
<saml:Attribute Name="http://shibboleth.net/ns/profiles/encryptAssertions" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xsd:boolean">false</saml:AttributeValue>
</saml:Attribute>
<!-- add the entity attribute to a predefined collection of entities -->
<ConditionScript customObjectRef="MyEntityCollection">
<Script>
<![CDATA[
// this function takes a custom object of type Collection<String>
// and returns an implementation of Predicate<EntityDescriptor>;
// the predicate is then applied to the input object
//
// the custom argument is of type:
// java.util.Collection<String>
//
// the input argument is of type:
// org.opensaml.saml.saml2.metadata.EntityDescriptor
//
(function (entityIDs) {
"use strict";
// return a trivial implementation of Predicate<EntityDescriptor>
if (entityIDs === null) {
return function (entity) { return false; };
}
// return an implementation of Predicate<EntityDescriptor>
// that depends on a custom object of type Collection<String>
return function (entity) {
if (entity === null) { return false; }
return entityIDs.contains(entity.getEntityID());
};
}(custom))(input);
]]>
</Script>
</ConditionScript>
</MetadataFilter> | ||||||
| Tip | ||||||
| ||||||
The <AttributeFilterScript> in the previous example is generally useful since it removes any and all entity attributes that configure a SAML protocol at runtime. It does this by matching on a common prefix of the overall set of Shibboleth profile URIs. |