Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagexml
titleAdd entity attributes to metadata
collapsetrue
<MetadataFilter xsi:type="EntityAttributes" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Attribute Name="https://sp.example.org/tagname1">
        <saml:AttributeValue>foo</saml:AttributeValue>
    </saml:Attribute>
    <Entity>https://sp1.example.org</Entity>
    <saml:Attribute Name="https://sp.example.org/tagname2">
        <saml:AttributeValue>foo</saml:AttributeValue>
        <saml:AttributeValue>bar</saml:AttributeValue>
    </saml:Attribute>
    <Entity>https://sp2.example.org</Entity>
</MetadataFilter>

...

Code Block
languagexml
titleAdd entity attributes that affect signing operations
collapsetrue
<!-- 
    By default, responses are signed but assertions are not.
    This filter enables signing of both responses and assertions for select entities.
    For other entities, only assertions are signed.
-->
<MetadataFilter xsi:type="EntityAttributes" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">

    <!-- sign assertions -->
    <saml:Attribute Name="http://shibboleth.net/ns/profiles/saml2/sso/browser/signAssertions" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue xsi:type="xsd:boolean">true</saml:AttributeValue>
    </saml:Attribute>
  
    <!-- sign both responses and assertions for the following entity -->
    <Entity>https://sp.example1.org</Entity>
  
    <!-- do not sign responses -->
    <saml:Attribute Name="http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue xsi:type="xsd:boolean">false</saml:AttributeValue>
    </saml:Attribute>
  
    <!-- sign assertions but do not sign responses for the following entities -->
    <Entity>https://sp.example2.org</Entity>
    <Entity>https://sp.example3.org</Entity>

</MetadataFilter>

...

Code Block
languagexml
titleAdd an entity attribute that disables encryption
collapsetrue
<!-- 
    By default, SAML assertions are encrypted.
    This filter disables encryption for select entities.
-->
<MetadataFilter xsi:type="EntityAttributes" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">

    <!-- this particular entity attribute disables encryption -->
    <saml:Attribute Name="http://shibboleth.net/ns/profiles/encryptAssertions" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue xsi:type="xsd:boolean">false</saml:AttributeValue>
    </saml:Attribute>

    <!-- add the entity attribute to a predefined collection of entities -->
    <ConditionScript customObjectRef="MyEntityCollection">
        <Script>
        <![CDATA[
            // this function takes a custom object of type Collection<String>
            // and returns an implementation of Predicate<EntityDescriptor>;
            // the predicate is then applied to the input object
            //
            // the custom argument is of type:
            // java.util.Collection<String>
            //
            // the input argument is of type:
            // org.opensaml.saml.saml2.metadata.EntityDescriptor
            //
            (function (entityIDs) {
                "use strict";

                // return a trivial implementation of Predicate<EntityDescriptor>
                if (entityIDs === null) {
                    return function (entity) { return false; };
                }

                // return an implementation of Predicate<EntityDescriptor>
                // that depends on a custom object of type Collection<String>
                return function (entity) {
                    if (entity === null) { return false; }
                    return entityIDs.contains(entity.getEntityID());
                };
            }(custom))(input);
        ]]>
        </Script>
    </ConditionScript>
</MetadataFilter>