Overview
The AttributeInMetadata
type describes a Matcher that filters results based upon any <md:RequestedAttribute>
elements in the metadata for the AttributeConsumingService
for the request. The parameterization controls
- Whether the
RequestedAttribute
is mapped directly or not (attributeName
andattributeNameFormat
) - What the behavior is if the ACS has no requested Attributes. (
matchIfMetadataSilent
) - What the behavior is with respect to the
isRequired
XML attribute on the<md:RequestedAttribute>
element (if any) - Whether this is a Matcher or a PolicyRule (
attributeID
)
The AttributeInMetadata
type is a Matcher that consults <md:RequestedAttribute>
elements in SP metadata.
For a PolicyRule that consults Entity Attributes (associated with the SAML2 Metadata Entity for the SP) use EntityAttributeExactMatch
or EntityAttributeRegexMatch
Schema Name
The AttributeInMetadata
type is defined by the urn:mace:shibboleth:2.0:afp:mf
schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd.
Prior to release 3.2.0 the saml:SAMLAttributeInMetadata
type is defined by the urn:mace:shibboleth:2.0:afp:mf:saml
schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-saml.xsd. Use of this namespace is deprecated, but is supported.
Attributes
Name | Type | Default | Description |
---|---|---|---|
attributeName | String | optional | If this attribute is present, a RequestedAttribute with this name is searched for. If absent then the attribute encoders associated with the (IdP) Attribute under consideration are consulted and the first matching (format and name) RequestedAttribute is used. |
attributeNameFormat | String | optional | If this attribute is present, provides additional filtering of the
Use of the |
matchIfMetadataSilent | boolean | false | If the value of this attribute is true, then all input values are returned if the metadata contains no <md:RequestedAttribute> elements whatsoever. This attribute has no effect if the metadata contains one or more <md:RequestedAttribute> elements. |
onlyIfRequired | boolean | true (erroneously false in release prior to 3.2, see here) | If the value of this attribute is true, and the <md:RequestedAttribute> element does not carry the isRequired="true" XML attribute, then no values are matched. |
attributeID | String | optional | If this attribute is present, then this is a PolicyRule returning true if the Matcher, when applied to the attribute with this ID, matches any values. See AttributeValueString for an exmaple of how attributeID changes the meaning of a Matcher in a slightly less daunting environment. |
Value matching is purely string based. Only string attribute values of the input attribute are inspected and they are compared with a string representation of each of the values in the RequestedAttribute
. Only matching values are added to the Permit or Deny List.
AttributeInMetadata or MappedAttributeInMetadata?
AttributeInMetadata
and MappedAttributeInMetadata
are both matchers with significant overlap. In practice, use AttributeInMetadata
if you require to coerce the attributeName
or attributeNameFormat
and MappedAttributeInMetadata
if you need to compare non-string values, or are concerned about the extra costs of constantly performing the lookup in the metadata.
Child Elements
None
Example 1
<PermitValueRule xsi:type="AttributeInMetadata" id="PermitRule" onlyIfRequired="true" matchIfMetadataSilent="true"/>
Example 2
Suppose an SP has the following requested attributes in metadata:
<md:RequestedAttribute FriendlyName="eduPersonPrincipalName" Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> <md:RequestedAttribute FriendlyName="displayName" Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> <md:RequestedAttribute FriendlyName="mail" Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
Then an IdP with the following configuration will release the indicated wire attributes to the above SP:
<afp:AttributeFilterPolicy id="releaseEssentialAttributesToAnySP"> <afp:PolicyRequirementRule xsi:type="basic:ANY"/> <!-- assuming ePPN is non-reassigned --> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule xsi:type="AttributeInMetadata"/> </afp:AttributeRule> <afp:AttributeRule attributeID="displayName"> <afp:PermitValueRule xsi:type="AttributeInMetadata"/> </afp:AttributeRule> <afp:AttributeRule attributeID="email"> <afp:PermitValueRule xsi:type="AttributeInMetadata"/> </afp:AttributeRule> </afp:AttributeFilterPolicy>
Such an IdP will not release attributes to an SP unless the indicated requested attributes are in SP metadata.
Example 3
Now suppose an SP has the following requested attributes in metadata:
<md:RequestedAttribute FriendlyName="metaSharedUserID" Name="http://example.org/attribute/metaSharedUserID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> <md:RequestedAttribute FriendlyName="metaPersonName" Name="http://example.org/attribute/metaPersonName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> <md:RequestedAttribute FriendlyName="metaEmailAddress" Name="http://example.org/attribute/metaEmailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
Then two IdPs with the following configurations will release the indicated wire attributes to the above SP:
<afp:AttributeFilterPolicy id="mapAndReleaseEssentialAttributesToAnySP"> <afp:PolicyRequirementRule xsi:type="ANY"/> <!-- assuming ePPN is non-reassigned --> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:PermitValueRule xsi:type="AttributeInMetadata" attributeName="http://example.org/attribute/metaSharedUserID" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> </afp:AttributeRule> <afp:AttributeRule attributeID="displayName"> <afp:PermitValueRule xsi:type="AttributeInMetadata" attributeName="http://example.org/attribute/metaPersonName" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> </afp:AttributeRule> <afp:AttributeRule attributeID="email"> <afp:PermitValueRule xsi:type="AttributeInMetadata" attributeName="http://example.org/attribute/metaEmailAddress" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> </afp:AttributeRule> </afp:AttributeFilterPolicy>
<afp:AttributeFilterPolicy id="mapAndReleaseEssentialAttributesToAnySP"> <afp:PolicyRequirementRule xsi:type="ANY"/> <!-- assuming ePUId is non-reassigned by definition --> <afp:AttributeRule attributeID="eduPersonUniqueId"> <afp:PermitValueRule xsi:type="AttributeInMetadata" attributeName="http://example.org/attribute/metaSharedUserID" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> </afp:AttributeRule> <afp:AttributeRule attributeID="givenName"> <afp:PermitValueRule xsi:type="AttributeInMetadata" attributeName="http://example.org/attribute/metaPersonName" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> </afp:AttributeRule> <afp:AttributeRule attributeID="email"> <afp:PermitValueRule xsi:type="AttributeInMetadata" attributeName="http://example.org/attribute/metaEmailAddress" attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/> </afp:AttributeRule> </afp:AttributeFilterPolicy>
Note that both IdPs have an attribute release policy that relies on the same set of requested attributes, but the requested attributes are mapped to different wire attributes in each case.