The <AttributeFilterScript>
element contains a script (or a reference to a script) that ultimately applies an implementation of Predicate<Attribute>
to a given entity attribute.
This feature requires IdP V3.4 or later. |
The <AttributeFilterScript>
element implicitly iterates over all entity attributes in the metadata pipeline. For each entity attribute, the entity attribute is removed from the input stream if (and only if) the predicate evaluates to false.
The <AttributeFilterScript>
element is a configuration element of type ScriptType
. Both the element and its type are defined by the urn:mace:shibboleth:2.0:metadata
schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-metadata.xsd.
The following sections describe the attributes and elements of the ScriptType
type.
A script contained by an <AttributeFilterScript>
element has access to an object called input
by convention. The actual input
argument is an instance of a class that implements the Attribute
interface.
If the customObjectRef
attribute is present on the <AttributeFilterScript>
element, the result of the referenced Spring bean is made available to the script via a second object called custom
. The type of the custom
object is determined by the Spring bean.
Examples
If the customObjectRef
attribute is not present on the <AttributeFilterScript>
element, the script operates on a single input
argument. The following trivial implementation of Predicate<Attribute>
always returns false regardless of the input
argument:
<ConditionScript> <Script> <![CDATA[ "use strict"; // A trivial implementation of Predicate<Attribute> // applied to the input argument // // The input argument is of type: // org.opensaml.saml.saml2.core.Attribute // (function (attribute) { return false; }(input)); ]]> </Script> </ConditionScript> |
The formal parameter name is arbitrary. In the previous example, the parameter name attribute
is used for clarity. A nontrivial script would depend on the formal parameter attribute
.