{"type":"doc","content":[{"type":"paragraph","content":[{"text":"Namespace:","type":"text","marks":[{"type":"textColor","attrs":{"color":"#222222"}},{"type":"strong"}]},{"text":" ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#222222"}}]},{"text":"urn:mace:shibboleth:2.0:metadata","type":"text","marks":[{"type":"code"}]},{"type":"hardBreak"},{"text":"Schema:","type":"text","marks":[{"type":"textColor","attrs":{"color":"#222222"}},{"type":"strong"}]},{"text":" ","type":"text","marks":[{"type":"textColor","attrs":{"color":"#222222"}}]},{"text":"http://shibboleth.net/schema/idp/shibboleth-metadata.xsd","type":"text","marks":[{"type":"textColor","attrs":{"color":"#222222"}},{"type":"link","attrs":{"href":"http://shibboleth.net/schema/idp/shibboleth-metadata.xsd"}}]}]},{"type":"extension","attrs":{"layout":"default","extensionType":"com.atlassian.confluence.macro.core","extensionKey":"toc","parameters":{"macroParams":{"minLevel":{"value":"1"},"maxLevel":{"value":"4"},"outline":{"value":"false"},"type":{"value":"list"},"printable":{"value":"false"}},"macroMetadata":{"macroId":{"value":"6bb1ab38-88cd-4530-a4bd-75a4733f1f19"},"schemaVersion":{"value":"1"},"title":"Table of Contents"}},"localId":"07802337-fd23-4ca3-9af7-92bb4932bc56"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"Overview","type":"text"}]},{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"Predicate","type":"text","marks":[{"type":"code"}]},{"text":" metadata filter applies an include or exclude rule to each entity in the input if a supplied ","type":"text"},{"text":"Predicate","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Predicate"}}]},{"text":"<","type":"text"},{"text":"EntityDescriptor","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.saml.saml2.metadata.EntityDescriptor"}}]},{"text":"> returns true. The predicate may be defined explicitly (via the ","type":"text"},{"text":"conditionRef","type":"text","marks":[{"type":"code"}]},{"text":" attribute) or implicitly from the child elements.","type":"text"}]},{"type":"panel","attrs":{"panelType":"warning"},"content":[{"type":"paragraph","content":[{"text":"Filter order is important!","type":"text","marks":[{"type":"strong"}]}]},{"type":"paragraph","content":[{"text":"This filter changes the content of the metadata and so a filter of type ","type":"text"},{"text":"Predicate","type":"text","marks":[{"type":"code"}]},{"text":" should appear after any ","type":"text"},{"type":"inlineCard","attrs":{"url":"https://shibboleth.atlassian.net/wiki/spaces/IDP5/pages/3199507384"}},{"text":" in the overall sequence of filters.","type":"text"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Reference","type":"text"}]},{"type":"expand","attrs":{"title":"XML Attributes"},"content":[{"type":"table","attrs":{"layout":"full-width","localId":"45376cbd-6f8f-4ffe-9f30-31ef1ad904c9"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[266.0]},"content":[{"type":"paragraph","content":[{"text":"Name","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[97.0]},"content":[{"type":"paragraph","content":[{"text":"Type","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[83.0]},"content":[{"type":"paragraph","content":[{"text":"Default","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[724.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[266.0]},"content":[{"type":"paragraph","content":[{"text":"direction","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[97.0]},"content":[{"type":"paragraph","content":[{"text":"\"include\" or \"exclude\"","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[83.0]},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[724.0]},"content":[{"type":"paragraph","content":[{"text":"This attribute must be set to either \"include\" or \"exclude\".","type":"text"}]},{"type":"paragraph","content":[{"text":"If set to ","type":"text"},{"text":"\"include\"","type":"text","marks":[{"type":"code"}]},{"text":", then all entities that match the predicate are included in the result (all other entities are excluded).","type":"text"}]},{"type":"paragraph","content":[{"text":"If set to ","type":"text"},{"text":"\"exclude\"","type":"text","marks":[{"type":"code"}]},{"text":", then all entities that match the predicate are excluded from the result (all other entities are included).","type":"text"},{"type":"hardBreak"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[266.0]},"content":[{"type":"paragraph","content":[{"text":"conditionRef","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[97.0]},"content":[{"type":"paragraph","content":[{"text":"Bean ID","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[83.0]},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[724.0]},"content":[{"type":"paragraph","content":[{"text":"If present, the value of this attribute is the Spring Bean ID of a ","type":"text"},{"text":"Predicate","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Predicate"}}]},{"text":"<","type":"text"},{"text":"EntityDescriptor","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.saml.saml2.metadata.EntityDescriptor"}}]},{"text":"> to execute on each entity in the metadata being filtered.","type":"text"}]},{"type":"paragraph","content":[{"text":"If this attribute is not present, then the child elements are used to construct an implicit predicate as described below.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[266.0]},"content":[{"type":"paragraph","content":[{"text":"trim","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[97.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[83.0]},"content":[{"type":"paragraph","content":[{"type":"hardBreak"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[724.0]},"content":[{"type":"paragraph","content":[{"text":"This attribute is required if a ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" element appears; it controls whether leading and trailing whitespace is to be stripped from the each ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" element's content","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[266.0]},"content":[{"type":"paragraph","content":[{"text":"removeEmptyEntitiesDescriptors","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[97.0]},"content":[{"type":"paragraph","content":[{"text":"Boolean","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[83.0]},"content":[{"type":"paragraph","content":[{"text":"true","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[724.0]},"content":[{"type":"paragraph","content":[{"text":"If the value of this attribute is true, then any ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" element that becomes empty as a result of the filter is removed","type":"text"}]}]}]}]}]},{"type":"expand","attrs":{"title":"XML Elements"},"content":[{"type":"paragraph","content":[{"text":"If the ","type":"text"},{"text":"conditionRef","type":"text","marks":[{"type":"code"}]},{"text":" attribute is specified, then only it is used and any child elements are ignored. Otherwise the condition is constructed as one that returns true if:","type":"text"}]},{"type":"bulletList","content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"entityID","type":"text","marks":[{"type":"code"}]},{"text":" of the candidate matches any of the supplied ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" elements ","type":"text"},{"text":"OR","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The ","type":"text"},{"text":"Name","type":"text","marks":[{"type":"code"}]},{"text":" of any ancestor ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" element for the candidate matches any of the supplied ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" child elements","type":"text"},{"text":" OR","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Any ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" extension elements associated with the candidate match the supplied ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" child elements ","type":"text"},{"text":"OR","type":"text","marks":[{"type":"strong"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Any scripts designated by a ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" element return true","type":"text"}]}]}]},{"type":"paragraph"},{"type":"table","attrs":{"layout":"full-width","localId":"e8a2242c-edd9-45c1-a023-6b13c06568c6"},"content":[{"type":"tableRow","content":[{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[178.0]},"content":[{"type":"paragraph","content":[{"text":"Name","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[118.0]},"content":[{"type":"paragraph","content":[{"text":"Cardinality","type":"text"}]}]},{"type":"tableHeader","attrs":{"colspan":1,"rowspan":1,"colwidth":[886.0]},"content":[{"type":"paragraph","content":[{"text":"Description","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[178.0]},"content":[{"type":"paragraph","content":[{"text":"","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[118.0]},"content":[{"type":"paragraph","content":[{"text":"0 or more","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[886.0]},"content":[{"type":"paragraph","content":[{"text":"The content of this element is an entity ID. If the content matches a candidate entity's entityID, then the condition is true.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[178.0]},"content":[{"type":"paragraph","content":[{"text":" ","type":"text"},{"text":"5.1","type":"text","marks":[{"type":"subsup","attrs":{"type":"sup"}}]}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[118.0]},"content":[{"type":"paragraph","content":[{"text":"0 or more","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[886.0]},"content":[{"type":"paragraph","content":[{"text":"The textual content is a regular expression to match against the entityID. If the expression matches a candidate entity's entityID, then the condition is true.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[178.0]},"content":[{"type":"paragraph","content":[{"text":"","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[118.0]},"content":[{"type":"paragraph","content":[{"text":"0 or more","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[886.0]},"content":[{"type":"paragraph","content":[{"text":"The content of this element is the Name of an element. If the content matches a candidate's surrounding group names, then the condition is true.","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[178.0]},"content":[{"type":"paragraph","content":[{"text":"","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[118.0]},"content":[{"type":"paragraph","content":[{"text":"0 or more","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[886.0]},"content":[{"type":"paragraph","content":[{"text":"The (required) attribute 'name' provides the Name to match,","type":"text"},{"type":"hardBreak"},{"text":"The (optional) attribute 'nameFormat' specifies the NameFormat to match. If not specified (or set to urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified), then all formats match.","type":"text"}]},{"type":"paragraph","content":[{"text":"The content of this element is a series of one or more elements whose contents specify a specific to match (which may be trimmed in accordance with the trim attribute mentioned above).","type":"text"}]},{"type":"paragraph","content":[{"text":"(See example below.)","type":"text"}]}]}]},{"type":"tableRow","content":[{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[178.0]},"content":[{"type":"paragraph","content":[{"text":"<","type":"text"},{"text":"ConditionScript","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP5/pages/3199507115"}}]},{"text":">","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[118.0]},"content":[{"type":"paragraph","content":[{"text":"0 or more","type":"text"}]}]},{"type":"tableCell","attrs":{"colspan":1,"rowspan":1,"colwidth":[886.0]},"content":[{"type":"paragraph","content":[{"text":"The content of this element is an inline or local script resource that implements ","type":"text"},{"text":"Predicate","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-jdk.cgi/java.util.function.Predicate"}}]},{"text":"<","type":"text"},{"text":"EntityDescriptor>","type":"text","marks":[{"type":"link","attrs":{"href":"http://shibboleth.net/cgi-bin/java-opensaml.cgi/org.opensaml.saml.saml2.metadata.EntityDescriptor"}}]}]}]}]}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Examples","type":"text","marks":[{"type":"textColor","attrs":{"color":"#000000"}}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Include a single entity","type":"text"}]},{"type":"paragraph","content":[{"text":"The following simple example includes at most one entity. This filter intentionally prevents new or unexpected entities from appearing in the metadata feed.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Include a single entity","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\thttps://sp.example.org/trusted-sp\n","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Exclude all entities containing a particular entity attribute","type":"text"}]},{"type":"paragraph","content":[{"text":"The next example excludes all entities containing a particular entity attribute, presumably because the IdP is the sole authority for this attribute.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Exclude all entities containing an unauthorized entity attribute","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n \n http://idp.example.org/local-category\n \n","type":"text"}]},{"type":"expand","attrs":{"title":"Exclude all entities subject to a compound implicit condition"},"content":[{"type":"paragraph","content":[{"text":"Note that implicit conditions may be combined in logical ","type":"text"},{"text":"OR","type":"text","marks":[{"type":"strong"}]},{"text":" fashion. For instance, if any of the conditions in the following example are true, the entity is excluded:","type":"text"}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\n \n https://sp.example.org/untrusted-sp\n \n \n http://idp.example.org/local-category-one\n http://idp.example.org/local-category-two\n \n \n \n http://idp.example.org/local-category-three\n \n","type":"text"}]}]},{"type":"panel","attrs":{"panelType":"info"},"content":[{"type":"paragraph","content":[{"text":"The name ","type":"text"},{"text":"\"http://macedir.org/entity-category\"","type":"text","marks":[{"type":"code"}]},{"text":" used in the above examples is a standard entity attribute name. For reference, consult the following specification: ","type":"text"},{"text":"The Entity Category SAML Attribute Types","type":"text","marks":[{"type":"link","attrs":{"href":"https://datatracker.ietf.org/doc/draft-young-entity-category/"}}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Include all entities based on a regexp applied to the entityID","type":"text"}]},{"type":"paragraph","content":[{"text":"The core of this is the ","type":"text"},{"text":"RegexPredicate. ","type":"text","marks":[{"type":"code"}]},{"text":"However this takes a string, rather than an EntityID and so we need to navigate to it. We could of course use jacascript, but the Spring EL Predicate provides a better shorthand. One injects the ","type":"text"},{"text":"RegexPredicate","type":"text","marks":[{"type":"code"}]},{"text":" to do the work and use Spring EL to do the navigation. The result is this Spring Segment","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Regexp predicate","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Exclude \"roleless\" entity descriptors","type":"text"}]},{"type":"paragraph","content":[{"text":"Recall that the following ","type":"text"},{"text":"EntityRole","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/IDP5/pages/3199507218"}}]},{"text":" filter retains all ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" elements in the input:","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Retain SP roles only","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n md:SPSSODescriptor\n","type":"text"}]},{"type":"paragraph","content":[{"text":"The previous filter essentially filters all non-SP role descriptors from the input. At the end of that process, if an empty entity descriptor remains (because all of its roles have been removed), the entity itself is removed.","type":"text"}]},{"type":"paragraph","content":[{"text":"Unfortunately the ","type":"text"},{"text":"EntityRole","type":"text","marks":[{"type":"code"}]},{"text":" filter may not handle affiliation descriptors as expected. Specifically, an ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" element that contains an ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" child element is handled in exactly the same way as an ","type":"text"},{"text":"","type":"text","marks":[{"type":"code"}]},{"text":" element that contains no role descriptors. That is, if ","type":"text"},{"text":"removeRolelessEntityDescriptors","type":"text","marks":[{"type":"code"}]},{"text":" is true (which it is by default), both are removed from the input.","type":"text"}]},{"type":"paragraph","content":[{"text":"A quick fix that preserves any affiliation descriptors in the input is to set ","type":"text"},{"text":"removeRolelessEntityDescriptors","type":"text","marks":[{"type":"code"}]},{"text":" to false on the ","type":"text"},{"text":"EntityRole","type":"text","marks":[{"type":"code"}]},{"text":" filter. However, this also prevents truly “roleless” entity descriptors from being removed, which may have a negative impact on memory utilization. A workaround is to use both an ","type":"text"},{"text":"EntityRole","type":"text","marks":[{"type":"code"}]},{"text":" filter and a ","type":"text"},{"text":"Predicate","type":"text","marks":[{"type":"code"}]},{"text":" filter, in sequence.","type":"text"}]},{"type":"paragraph","content":[{"text":"The following filter sequence is a complete replacement for the above ","type":"text"},{"text":"EntityRole","type":"text","marks":[{"type":"code"}]},{"text":" filter:","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Retain SP roles while preserving affiliation descriptors","type":"text","marks":[{"type":"strong"}]}]},{"type":"expand","attrs":{"title":"Retain SP roles while preserving affiliation descriptors"},"content":[{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\n md:SPSSODescriptor\n\n\n\n\n \n \n \n","type":"text"}]}]},{"type":"paragraph","content":[{"text":"Note that ","type":"text"},{"text":"removeRolelessEntityDescriptors","type":"text","marks":[{"type":"code"}]},{"text":" is set to false on the ","type":"text"},{"text":"EntityRole","type":"text","marks":[{"type":"code"}]},{"text":" filter, which runs first. The ","type":"text"},{"text":"Predicate","type":"text","marks":[{"type":"code"}]},{"text":" filter then removes the “roleless” entity descriptors from its input without disturbing the affiliation descriptors (if any).","type":"text"}]}],"version":1}

Browser not supported