Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

The <AttributeFilter> element is used to configure plugins that filter incoming attributes to prevent applications protected by an SP from seeing data that violates whatever policies the filter implements.

While there are no specifically "mandated" points at which filters run, the SP generally invokes filtering immediately prior to the caching of a set of attributes into a user's session. Actually performing the filtering process is typically up to an Assertion Consumer Service handler (in the case of attributes delivered during SSO) or an attribute resolver.

The filter's XML "portion" is a reloadable resource, which means that the XML content can be supplied inline, in a local file, or a remote file, and can be monitored for changes and reloaded on the fly.  

This page refers to several different namespaces as detailed below

Namespace

URI

Description

afp

urn:mace:shibboleth:2.0:afp

The Shibboleth attribute filter rules namespace
basic

urn:mace:shibboleth:2.0:afp:mf:basic

The "basic" Shibboleth attribute filter rulesnamespace
confurn:mace:shibboleth:2.0:native:sp:configThe Shibboleth SP configuration namespace

Attributes

The  attribute type="XML" must be present. 

If the filter is to be specified in a different place the reloadable attributes may be specified

Names

Type

Default

Description

id

string

Identifies the component for logging purposes.

url

 URL

Remote location of an XML resource containing the required configuration. The SP does not verify the transport (i.e. it does not verify the X.509 certificate presented by the remote server when HTTPS is the transport).

path

local path

Path to a local file containing the required configuration

validate

boolean

false

If true, XML validation is performed when loading the resource

reloadChanges

boolean

true

If a path attribute is used, the local file is monitored for changes and reloaded dynamically. This incurs some runtime overhead for locking, so should be disabled if not needed.

maxRefreshDelay

time in seconds

0

If a url attribute is used, this attribute sets the time between attempts to download a fresh copy of the resource. If 0 (the default), no reloading occurs. This incurs some runtime overhead for locking, so should be left at 0 if not needed

reloadInterval

Synonym for maxRefreshDelay

backingFilePath

local path

If a url attribute is used, the downloaded resource is copied to this location. If the software is started and the remote resource is unavailable or invalid, the backing file is loaded instead

certificate

local path

Path to a certificate containing a public key to use to require and verify an XML signature over the resource. The certificate's other content is ignored.

signerName

string

If present, the name is supplied to the <TrustEngine> used to verify an XML signature over the resource. A certificate containing the name must be available in the verification process (typically inside the signature).

Child elements

These child elements are typically only used when relying on a remote configuration resource and are for advanced use cases.

Name

Cardinality

Description

<TrustEngine

0 or 1

Used to require the presence of a top-level signature over the entire resource and to control the verification process

<CredentialResolver>

0 or 1

Used to require the presence of a top-level signature over the entire resource and to control the verification process.

Mutually exclusive with the <TrustEngine> element and the certificate attribute.

<TransportOption>

0 or more

Provides low-level control over the library used to remotely access the resource

Context

The root of the XML instance MUST be an <afp:AttributeFilterPolicyGroup> element.

For the time being, refer to the IdPAddAttributeFilter topic for more details.

Examples

Inline Attribute Filter
<config:AttributeFilter type="XML">
	<afp:AttributeFilterPolicyGroup>

	<!-- Shared rule for affiliation values. -->
	    <afp:PermitValueRule id="eduPersonAffiliationValues" xsi:type="OR">
    	    <basic:Rule xsi:type="basic:AttributeValueString" value="faculty"/>
        	<basic:Rule xsi:type="basic:AttributeValueString" value="student"/>
	        <basic:Rule xsi:type="basic:AttributeValueString" value="staff"/>
    	    <basic:Rule xsi:type="basic:AttributeValueString" value="alum"/>
        	<basic:Rule xsi:type="basic:AttributeValueString" value="member"/>
	        <basic:Rule xsi:type="basic:AttributeValueString" value="affiliate"/>
    	    <basic:Rule xsi:type="basic:AttributeValueString" value="employee"/>
        	<basic:Rule xsi:type="basic:AttributeValueString" value="library-walk-in"/>
	    </afp:PermitValueRule>
	<afp:AttributeFilterPolicyGroup>
<config:AttributeFilter type="XML">
External Attribute filter
<AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

see the current an example attribute policy file 

  • No labels