The EntityRoleWhiteList filter retains all entities that have at least one of the specified roles. Most commonly this is used to filter out entities that do not have an SP role, allowing the corresponding memory to be reclaimed.
Filter order is important!
This filter changes the content of the metadata and so a filter of type EntityRoleWhiteList should appear after any SignatureValidationFilter in the overall sequence of filters.
Namespace and Schema
The <MetadataFilter> element and the type EntityRoleWhiteList are defined by the urn:mace:shibboleth:2.0:metadata schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-metadata.xsd.
Reference
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
| Boolean | true | Controls whether to keep entity descriptors that contain no roles |
| Boolean | true | Controls whether to keep entities descriptors that contain no entity descriptors |
Child Elements
| Name | Cardinality | Description |
|---|---|---|
| 0 or more | The textual content is the XML QName of the role to be retained. Note that property replacement cannot be used on this element. |
Examples
<MetadataFilter xsi:type="EntityRoleWhiteList" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>
Don't forget to configure at least one child element
<RetainedRole> child element, the filter will retain no entities; that is, an empty <MetadataFilter> element of type EntityRoleWhiteList will remove all entities from the input. This is probably not what you want to do.