The EntityRoleWhiteList
filter retains all entities that have at least one of the specified roles. Most commonly this is used to filter out entities that do not have an SP role, allowing the corresponding memory to be reclaimed.
Filter order is important!
This filter changes the content of the metadata and so a filter of type EntityRoleWhiteList
should appear after any SignatureValidationFilter in the overall sequence of filters.
Namespace and Schema
The <MetadataFilter>
element and the type EntityRoleWhiteList
are defined by the urn:mace:shibboleth:2.0:metadata
schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-metadata.xsd.
Reference
Attributes
Name | Type | Default | Description |
---|---|---|---|
| Boolean | true | Controls whether to keep entity descriptors that contain no roles |
| Boolean | true | Controls whether to keep entities descriptors that contain no entity descriptors |
Child Elements
Name | Cardinality | Description |
---|---|---|
| 0 or more | The textual content is the XML QName of the role to be retained. Note that property replacement cannot be used on this element. |
Examples
<MetadataFilter xsi:type="EntityRoleWhiteList" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"> <RetainedRole>md:SPSSODescriptor</RetainedRole> </MetadataFilter>
Don't forget to configure at least one child element
<RetainedRole>
child element, the filter will retain no entities; that is, an empty <MetadataFilter>
element of type EntityRoleWhiteList
will remove all entities from the input. This is probably not what you want to do.