The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.

EntityRoleWhiteListFilter

The EntityRoleWhiteList filter removes unwanted role descriptors from entity metadata. Depending on the size and composition of the input, metadata filtered in this way may have a significantly reduced memory footprint.

For example, suppose an IdP loads (and reloads) metadata from a remote HTTP source using a FileBackedHTTPMetadataProvider. Since the IdP is focused on the <md:SPSSODescriptor> elements in the metadata aggregate, all other role descriptors may be removed. See below for an explicit example.

Filter order is important!

This filter changes the content of the metadata and so a filter of type EntityRoleWhiteList should appear after any SignatureValidationFilter in the overall sequence of filters.

Schema

The <MetadataFilter> element and the type EntityRoleWhiteList are defined by the urn:mace:shibboleth:2.0:metadata schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-metadata.xsd.

Attributes

NameTypeDefaultDescription

removeRolelessEntityDescriptors

booleantrue

Controls whether to keep entity descriptors that contain no roles. Note: If this attribute is set to false, the resulting output may not be schema-valid since an <md:EntityDescriptor> element must include at least one role descriptor.

removeEmptyEntitiesDescriptors

booleantrueControls whether to keep entities descriptors that contain no entity descriptors. Note: If this attribute is set to false, the resulting output may not be schema-valid since an <md:EntitiesDescriptor> element must include at least one child element, either an <md:EntityDescriptor> element or an <md:EntitiesDescriptor> element.

Affiliation descriptors are removed by default

An <md:EntityDescriptor> element that contains an <md:AffiliationDescriptor> child element is handled the same way as an <md:EntityDescriptor> element that contains no role descriptors. That is, if removeRolelessEntityDescriptors is true, both are filtered from the input.

Child Elements

NameCardinalityDescription

<RetainedRole>

0 or more

The textual content is the XML QName of the role to be retained.

Note that property replacement cannot be used on this element.

Don't forget to configure a child element

If you forget to configure a <RetainedRole> child element, the filter will retain no roles; that is, an empty <MetadataFilter> element of type EntityRoleWhiteList will remove all roles (and therefore all entities) from the input. This is probably not what you want to do.

Examples

The following example retains all <md:SPSSODescriptor> elements in the input:

Retain SP roles only
<MetadataFilter xsi:type="EntityRoleWhiteList" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
    <RetainedRole>md:SPSSODescriptor</RetainedRole>
</MetadataFilter>

If a particular entity descriptor in the input contains no <md:SPSSODescriptor> child element, all role descriptors are removed from the entity. If the value of the removeRolelessEntityDescriptors attribute is true (which it is by default), the entity itself is removed as well.

If the value of the removeEmptyEntitiesDescriptors attribute is true (which it is by default), any <md:EntitiesDescriptor> element that contains neither an <md:EntityDescriptor> element nor an <md:EntitiesDescriptor> element is removed as well.