Attribute In Metadata Matching Rule
This matching rule evaluates to true if the attribute requester's metadata contains a <RequestedAttribute>
element matching a designated attribute (since v2.4).
This filter requires that the metadata for the attribute requester is loaded and available. It looks for an <AttributeConsumingService>
element in the SP's metadata that corresponds to the authentication request (either by default or by explicit reference via an AttributeConsumingServiceIndex
attribute in the request message). Matching then proceeds based on the contents of that element.
Limited support is provided for value matching. Using simple <AttributeValue>
elements in metadata works to filter specific values of matched attributes.
Define the Rule
This matching rule cannot be used in a policy requirement rule, only in attribute rules.
This rule is defined by the element <PermitValueRule xsi:type="saml:AttributeInMetadata">
, for permit value rules, with the following optional attributes:
- onlyIfRequired - match only if the requested attribute is flagged in the metadata as
isRequired
, defaults to true - matchIfMetadataSilent - match if the metadata contains no
<AttributeConsumingService>
element at all, defaults to false.
<AttributeRule attributeID="eduPersonPrincipalName"> <PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/> </AttributeRule>
A more complete example is found elsewhere in this wiki.