The Shibboleth IdP V4 software will leave support on September 1, 2024.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

Namespace: urn:mace:shibboleth:2.0:afp
Schema: http://shibboleth.net/schema/idp/shibboleth-afp.xsd

Overview

The AttributeInMetadata type is a Matcher which filters results based on <md:RequestedAttribute> elements within the request-indicated <md:AttributeConsumingService> in the SP's metadata. The parameterization controls:

  • Whether the <md:RequestedAttribute> naming is applied directly or indirectly via the AttributeRegistryConfiguration (the former is indicated by use of attributeName and attributeNameFormat)

  • The behavior when the metadata contains no <md:RequestedAttribute> elements (via matchIfMetadataSilent)

  • The behavior with respect to the isRequired XML attribute

  • Whether this is a Matcher or a PolicyRule (via attributeID)

Value matching is supported but is purely string-based. Only string attribute values of the input attribute are inspected and they are compared with a string representation of each of the values in the RequestedAttribute. Only matching values are added to the Permit or Deny List.

Reference

Examples

Suppose an SP has the following requested attributes in metadata:

<md:RequestedAttribute FriendlyName="eduPersonPrincipalName"
   Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>

<md:RequestedAttribute FriendlyName="displayName"
   Name="urn:oid:2.16.840.1.113730.3.1.241"
   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>

<md:RequestedAttribute FriendlyName="mail"
   Name="urn:oid:0.9.2342.19200300.100.1.3"
   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>

Then an IdP with the following configuration will release the indicated wire attributes to the above SP provided that they are configured with attribute transoding rules that match the SAML naming above.

<afp:AttributeFilterPolicy id="releaseEssentialAttributesToAnySP">

  <afp:PolicyRequirementRule xsi:type="basic:ANY"/>

  <afp:AttributeRule attributeID="eduPersonPrincipalName">
    <afp:PermitValueRule xsi:type="AttributeInMetadata"/>
  </afp:AttributeRule>

  <afp:AttributeRule attributeID="displayName">
    <afp:PermitValueRule xsi:type="AttributeInMetadata"/>
  </afp:AttributeRule>

  <afp:AttributeRule attributeID="email">
    <afp:PermitValueRule xsi:type="AttributeInMetadata"/>
  </afp:AttributeRule>

</afp:AttributeFilterPolicy>

Now suppose an SP has the following requested attributes in metadata:

<md:RequestedAttribute FriendlyName="metaSharedUserID"
   Name="http://example.org/attribute/metaSharedUserID"
   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>

<md:RequestedAttribute FriendlyName="metaPersonName"
   Name="http://example.org/attribute/metaPersonName"
   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>

<md:RequestedAttribute FriendlyName="metaEmailAddress"
   Name="http://example.org/attribute/metaEmailAddress"
   NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>

Then two IdPs with the following configurations will release the indicated wire attributes to the above SP:


<afp:AttributeFilterPolicy id="mapAndReleaseEssentialAttributesToAnySP">

  <afp:PolicyRequirementRule xsi:type="ANY"/>

  <afp:AttributeRule attributeID="eduPersonPrincipalName">
    <afp:PermitValueRule xsi:type="AttributeInMetadata"
        attributeName="http://example.org/attribute/metaSharedUserID"
        attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
  </afp:AttributeRule>

  <afp:AttributeRule attributeID="displayName">
    <afp:PermitValueRule xsi:type="AttributeInMetadata"
        attributeName="http://example.org/attribute/metaPersonName"
        attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
  </afp:AttributeRule>

  <afp:AttributeRule attributeID="email">
    <afp:PermitValueRule xsi:type="AttributeInMetadata"
        attributeName="http://example.org/attribute/metaEmailAddress"
        attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
  </afp:AttributeRule>

</afp:AttributeFilterPolicy>



<afp:AttributeFilterPolicy id="mapAndReleaseEssentialAttributesToAnySP">

  <afp:PolicyRequirementRule xsi:type="ANY"/>

  <afp:AttributeRule attributeID="eduPersonUniqueId">
    <afp:PermitValueRule xsi:type="AttributeInMetadata"
        attributeName="http://example.org/attribute/metaSharedUserID"
        attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
  </afp:AttributeRule>

  <afp:AttributeRule attributeID="givenName">
    <afp:PermitValueRule xsi:type="AttributeInMetadata"
        attributeName="http://example.org/attribute/metaPersonName"
        attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
  </afp:AttributeRule>

  <afp:AttributeRule attributeID="email">
    <afp:PermitValueRule xsi:type="AttributeInMetadata"
        attributeName="http://example.org/attribute/metaEmailAddress"
        attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
  </afp:AttributeRule>

</afp:AttributeFilterPolicy>


Note that both IdPs have an attribute release policy that relies on the same set of requested attributes, but the requested attributes are mapped to different wire attributes in each case.

  • No labels