Versions Compared

Old Version 8

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version Current

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • onlyIfRequired - match only if the requested attribute is flagged in the metadata as isRequired, defaults to true
  • matchIfMetadataSilent - match if the metadata contains no <AttributeConsumingService> element at all, defaults to false.
  • attributeName - match if an attribute with the given name is listed in SP metadata (version 2.4.3 and later)
  • attributeNameFormat - match if an attribute with the given format is listed in SP metadata (version 2.4.3 and later)
Code Block
titleExample Permit Rule using the AttributeInMetadata Function
<AttributeRule attributeID="eduPersonPrincipalName">
  <PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
</AttributeRule>

...

In version 2.4.3 and later, you can also include attributeName and attributeNameFormat attributes that specify a SAML Attribute to match on that is not the same as the one that is derived by examining the encoders configured for the attribute you're trying to release. In other words, in the above example, you could add attributeName="https://example.com/customAttribute" to release eduPersonPrincipalName if a custom attribute name is requested in metadata. In the following example, the eduPersonTargetedID attribute is released if the eduPersonPrincipalName attribute (urn:oid:1.3.6.1.4.1.5923.1.1.1.6) is listed in SP metadata:
 Code Block
titleAnother Use of the AttributeInMetadata Function
<AttributeRule attributeID="eduPersonTargetedID">
  <PermitValueRule xsi:type="saml:AttributeInMetadata" attributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"/>
</AttributeRule>
More complete examples are found elsewhere in this wiki.