Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Namespace:urn:mace:shibboleth:2.0:metadata
Schema:http://shibboleth.net/schema/idp/shibboleth-metadata.xsd

Table of Contents
minLevel1
maxLevel3

Overview

...

...

The

...

titleV4.1+

EntityRole filter removes unwanted role descriptors from entity metadata. Depending on the size and composition of the input, metadata filtered in this way may have a significantly reduced memory footprint.

For example, suppose an IdP loads (and reloads) metadata from a remote HTTP source using a FileBackedHTTPMetadataProvider. Since the IdP is focused on the <md:SPSSODescriptor> elements in the metadata aggregate, all other role descriptors may be removed. See below for an explicit example.

...

The following example retains all <md:SPSSODescriptor> elements in the input:

Expand
titleV4.0
Retain SP roles unsafe-only
Code Block
languagexml
<MetadataFilter xsi:type="EntityRoleWhiteList" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
    <RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>

...

Retain SP roles unsafe-only
Code Block
languagexml
<MetadataFilter xsi:type="EntityRole" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
    <RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>

If a particular entity in the input contains no <md:SPSSODescriptor> child element, all role descriptors are removed from the entity. If the value of the removeRolelessEntityDescriptors attribute is true (which it is by default), the entity itself is removed as well.

...