The <MetadataFilter>
element configures a filter that examines metadata supplied by a metadata provider and adds, modifies, or deletes information depending on the filter's behavior.
Filters are generally used to impose additional security requirements on metadata, or limit the metadata consumed. Others are more advanced and work in conjunction with other software features.
type
(string)Identified by type="Signature"
, validates any XML Signatures found in the metadata according to trust information configured into the filter. Embedded signatures are checked, but a primary signature over the metadata instance as a whole MUST be present.
<MetadataFilter type="Signature" certificate="signer.pem"/> |
A variety of configuration options can be used, but they are mutually exclusive.
certificate
(local pathname)Version 2.1 and Above
verifyRoles
(boolean) (defaults to false)verifyName
(boolean) (defaults to true)Version 2.6 and Above
verifyBackup
(boolean) (defaults to true)<CredentialResolver>
(optional)<TrustEngine>
(optional)Identified by type="Whitelist"
, deletes metadata for any entity not matched inside the plugin's configuration.
<MetadataFilter type="Whitelist"> <Include>https://idp.goodguy.com/shibboleth</Include> </MetadataFilter> |
<MetadataFilter type="Whitelist" matcher="EntityAttributes"> <saml:Attribute Name="http://macedir.org/entity-category-support" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue>http://refeds.org/category/research-and-scholarship</saml:AttributeValue> </saml:Attribute> </MetadataFilter> |
matcher
(string) (Version 2.5 and Above)<Include>
(zero or more)entityID
found in the source metadata to identify entities to keep.Identified by type="Blacklist"
, filters out metadata for any entity or entity group listed inside the plugin's configuration.
<MetadataFilter type="Blacklist"> <Exclude>https://idp.badguy.com/shibboleth</Exclude> <Exclude>urn:evil:empire:entities</Exclude> </MetadataFilter> |
matcher
(string) (Version 2.5 and Above)<Exclude>
(zero or more)entityID
or group Name
found in the source metadata and only matching entities are kept. When groups are excluded, all children of the group are excluded without further examination by any filters.Identified by type="RequireValidUntil"
, rejects metadata whose root element does not contain a validUntil
attribute, or whose validity period exceeds a threshold.
<MetadataFilter type="RequireValidUntil" maxValidityInterval="604800"/> |
maxValidityInterval
(time in seconds) (defaults to 604800, seven days)Identified by type="EntityRoleWhiteList"
, removes unneeded/irrelevant role information from metadata to save memory.
<MetadataFilter type="EntityRoleWhiteList"> <RetainedRole>md:IDPSSODescriptor</RetainedRole> </MetadataFilter> |
removeRolelessEntityDescriptors
(boolean) (defaults to true)removeEmptyEntitiesDescriptors
(boolean) (defaults to true)<RetainedRole>
(one or more)Identified by type="EntityAttributes"
, adds <mdattr:EntityAttributes>
extension content to entities in order to drive software behavior based on them. Entity attributes are <saml:Attribute>
elements that annotate entities in metadata. They can be used to populate user attributes at runtime, drive other metadata filters, or impact discovery interfaces.
<MetadataFilter type="EntityAttributes"> <saml:Attribute FriendlyName="state" Name="urn:oid:2.5.4.8" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue>Ohio</saml:AttributeValue> </saml:Attribute> <saml:Attribute FriendlyName="locality" Name="urn:oid:2.5.4.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue>Columbus</saml:AttributeValue> </saml:Attribute> <Entity>urn:mace:incommon:osu.edu</Entity> </MetadataFilter> |
<saml:Attribute>
(one or more)<mdattr:EntityAttributes>
extension.<Entity>
(one or more)All of the <saml:Attribute>
tags preceding an <Entity>
element will be attached to that entity.
Additional examples are also available. These provide more complete examples and are contributed by users of the software.
Refresh InCommon Federation metadata every hour |