The Shibboleth IdP V4 software will leave support on September 1, 2024.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

Namespace: urn:mace:shibboleth:2.0:metadata
Schema: http://shibboleth.net/schema/idp/shibboleth-metadata.xsd

Overview

A filter of type NameIDFormat adds SAML <md:NameIDFormat> elements to metadata in order to drive software behavior (primarily Name Identifier format selection).

Sequences of string-valued <Format> elements are supplied as filter content. When a child element such as <Entity> or <ConditionRef> or <ConditionScript> evaluates to true, the formats are applied to all the recognized format-supporting roles of the corresponding entities. The filter does not have the capability to limit the roles to which formats will be attached.

Filter order is important!

This filter changes the content of the metadata and so a filter of type NameIDFormat should appear after any SignatureValidationFilter in the overall MetadataProvider.

Position the NameIDFormat filter for efficiency

Deliberately position a NameIDFormat filter in the overall sequence of filters for optimal efficiency. In particular, a filter of type NameIDFormat should appear after the EntityRoleFilter since the latter effectively removes entities from the input.

Reference

Examples

 The example will add the "persistent" format to the first entity, and both the "persistent" and "email" formats to the second.

Add NameIDFormat elements to metadata
 Add NameIDFormat elements to metadata
<MetadataFilter xsi:type="NameIDFormat">
	<Format>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</Format>
	<Entity>https://sp1.example.org</Entity>
	<Format>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</Format>
	<Entity>https://sp2.example.org</Entity>
</MetadataFilter>

The following example is similar, but the specification of the entities to apply the formats to is handled with inline scripts. Obviously these scripts aren't particularly useful but they demonstrate the syntax.

Use of scripts
 Use of scripts
<MetadataFilter xsi:type="NameIDFormat">
	<Format>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</Format>
	<ConditionScript>
	    <Script>
	    <![CDATA[
		    input.getEntityID().equals("https://sp1.example.org");
	    ]]>
	    </Script>
	</ConditionScript>
	<Format>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</Format>
	<ConditionScript>
	    <Script>
	    <![CDATA[
		    input.getEntityID().equals("https://sp2.example.org");
	    ]]>
	    </Script>
	</ConditionScript>
</MetadataFilter>
  • No labels