EntityRoleFilter

Owned by Scott Cantor
Last updated: May 24, 2023
2 min read

Namespace: urn:mace:shibboleth:2.0:metadata
Schema: http://shibboleth.net/schema/idp/shibboleth-metadata.xsd

Overview

The EntityRole filter removes unwanted role descriptors from entity metadata. Depending on the size and composition of the input, metadata filtered in this way may have a significantly reduced memory footprint.

For example, suppose an IdP loads (and reloads) metadata from a remote HTTP source using a FileBackedHTTPMetadataProvider. Since the IdP is focused on the <md:SPSSODescriptor> elements in the metadata aggregate, all other role descriptors may be removed. See below for an explicit example.

Filter order is important!

This filter changes the content of the metadata and so a filter of this type should appear after any SignatureValidationFilter in the overall sequence of filters.

Reference

Name

Type

Default

Description

Name

Type

Default

Description

removeRolelessEntityDescriptors

boolean

true

Controls whether to keep entity descriptors that contain no roles. Note: If false, the resulting output may not be schema-valid since an <md:EntityDescriptor> element must include at least one role descriptor child element.

removeEmptyEntitiesDescriptors

boolean

true

Controls whether to keep entities descriptors that contain no entity descriptors. Note: If false, the resulting output may not be schema-valid since an <md:EntitiesDescriptor> element must include at least one child element.

 

Affiliation descriptors are removed by default

An <md:EntityDescriptor> element that contains an <md:AffiliationDescriptor> child element is handled the same way as an <md:EntityDescriptor> element that contains no role descriptors. That is, if removeRolelessEntityDescriptors is true, both are filtered from the input.

Name

Cardinality

Description

Name

Cardinality

Description

<RetainedRole>

0 or more

The textual content is the XML QName of the role to be retained.

Note that property replacement cannot be used on this element.

Don't forget to configure a child element

If you forget to configure a <RetainedRole> child element, the filter will retain no roles; that is, an empty <MetadataFilter> element of this type will remove all roles (and therefore all entities) from the input. This is probably not what you want.

Examples

The following example retains all <md:SPSSODescriptor> elements in the input:

Retain SP roles unsafe-only
<MetadataFilter xsi:type="EntityRole" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"> <RetainedRole>md:SPSSODescriptor</RetainedRole> </MetadataFilter>

If a particular entity in the input contains no <md:SPSSODescriptor> child element, all role descriptors are removed from the entity. If the value of the removeRolelessEntityDescriptors attribute is true (which it is by default), the entity itself is removed as well.

If the value of the removeEmptyEntitiesDescriptors attribute is true (which it is by default), any <md:EntitiesDescriptor> element that contains neither an <md:EntityDescriptor> element nor an <md:EntitiesDescriptor> element is removed as well.