A filter of type EntityAttributes
adds or removes SAML entity attributes to or from metadata in order to drive software behavior.
...
The embedded entity attribute is defined by the urn:oasis:names:tc:SAML:2.0:assertion
namespace, the schema for which can be located at http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd. The latter namespace is usually associated with the saml:
prefix.
Attributes
None.
Child Elements
The first two are optional, mutually exclusive, and must appear first:
Name | Description |
---|---|
<AttributeFilterRef> 3.4 | Optional Bean ID of type Predicate |
| The content of this element is an inline or local script resource that implements Predicate< Attribute> , which is applied to all pre-existing extension attributes. Any entity attribute for which it evaluates false are removed prior to subsequent additions. |
Then, any of the following can be supplied in any order:
...
Add entity attributes to metadata
The following example adds the entity attribute "https://sp.example.org/tagname1" to entity "https://sp1.example.org", and both "https://sp.example.org/tagname1" and "https://sp.example.org/tagname2" to entity "https://sp2.example.org"
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<MetadataFilter xsi:type="EntityAttributes" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Attribute Name="https://sp.example.org/tagname1">
<saml:AttributeValue>foo</saml:AttributeValue>
</saml:Attribute>
<Entity>https://sp1.example.org</Entity>
<saml:Attribute Name="https://sp.example.org/tagname2">
<saml:AttributeValue>foo</saml:AttributeValue>
<saml:AttributeValue>bar</saml:AttributeValue>
</saml:Attribute>
<Entity>https://sp2.example.org</Entity>
</MetadataFilter> |
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<!--
By default, responses are signed but assertions are not.
This filter enables signing of both responses and assertions for select entities.
For other entities, only assertions are signed.
-->
<MetadataFilter xsi:type="EntityAttributes" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<!-- sign assertions -->
<saml:Attribute Name="http://shibboleth.net/ns/profiles/saml2/sso/browser/signAssertions" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xsd:boolean">true</saml:AttributeValue>
</saml:Attribute>
<!-- sign both responses and assertions for the following entity -->
<Entity>https://sp.example1.org</Entity>
<!-- do not sign responses -->
<saml:Attribute Name="http://shibboleth.net/ns/profiles/saml2/sso/browser/signResponses" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xsd:boolean">false</saml:AttributeValue>
</saml:Attribute>
<!-- sign assertions but do not sign responses for the following entities -->
<Entity>https://sp.example2.org</Entity>
<Entity>https://sp.example3.org</Entity>
</MetadataFilter> |
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<!--
By default, SAML assertions are encrypted.
This filter disables encryption for select entities.
-->
<MetadataFilter xsi:type="EntityAttributes" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<!-- this particular entity attribute disables encryption -->
<saml:Attribute Name="http://shibboleth.net/ns/profiles/encryptAssertions" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue xsi:type="xsd:boolean">false</saml:AttributeValue>
</saml:Attribute>
<!-- add the entity attribute to a predefined collection of entities -->
<ConditionScript customObjectRef="MyEntityCollection">
<Script>
<![CDATA[
// this function takes a custom object of type Collection<String>
// and returns an implementation of Predicate<EntityDescriptor>;
// the predicate is then applied to the input object
//
// the custom argument is of type:
// java.util.Collection<String>
//
// the input argument is of type:
// org.opensaml.saml.saml2.metadata.EntityDescriptor
//
(function (entityIDs) {
"use strict";
// return a trivial implementation of Predicate<EntityDescriptor>
if (entityIDs === null) {
return function (entity) { return false; };
}
// return an implementation of Predicate<EntityDescriptor>
// that depends on a custom object of type Collection<String>
return function (entity) {
if (entity === null) { return false; }
return entityIDs.contains(entity.getEntityID());
};
}(custom))(input);
]]>
</Script>
</ConditionScript>
</MetadataFilter> |