PredicateMetadataFilter
Namespace: urn:mace:shibboleth:2.0:metadata
Schema: http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
Overview
The Predicate
metadata filter applies an include or exclude rule to each entity in the input if a supplied Predicate<EntityDescriptor> returns true. The predicate may be defined explicitly (via the conditionRef
attribute) or implicitly from the child elements.
Filter order is important!
This filter changes the content of the metadata and so a filter of type Predicate
should appear after any SignatureValidationFilter in the overall sequence of filters.
Reference
Examples
Include a single entity
The following simple example includes at most one entity. This filter intentionally prevents new or unexpected entities from appearing in the metadata feed.
Include a single entity
<MetadataFilter xsi:type="Predicate" direction="include" removeEmptyEntitiesDescriptors="true">
<Entity>https://sp.example.org/trusted-sp</Entity>
</MetadataFilter>
Exclude all entities containing a particular entity attribute
The next example excludes all entities containing a particular entity attribute, presumably because the IdP is the sole authority for this attribute.
Exclude all entities containing an unauthorized entity attribute
<MetadataFilter xsi:type="Predicate" direction="exclude" removeEmptyEntitiesDescriptors="true" trim="true">
<Tag name="http://macedir.org/entity-category" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<Value>http://idp.example.org/local-category</Value>
</Tag>
</MetadataFilter>
The name "http://macedir.org/entity-category"
used in the above examples is a standard entity attribute name. For reference, consult the following specification: The Entity Category SAML Attribute Types
Include all entities based on a regexp applied to the entityID
The core of this is the RegexPredicate.
However this takes a string, rather than an EntityID and so we need to navigate to it. We could of course use jacascript, but the Spring EL Predicate provides a better shorthand. One injects the RegexPredicate
to do the work and use Spring EL to do the navigation. The result is this Spring Segment
Regexp predicate
Exclude "roleless" entity descriptors
Recall that the following EntityRole filter retains all <md:SPSSODescriptor>
elements in the input:
Retain SP roles only
The previous filter essentially filters all non-SP role descriptors from the input. At the end of that process, if an empty entity descriptor remains (because all of its roles have been removed), the entity itself is removed.
Unfortunately the EntityRole
filter may not handle affiliation descriptors as expected. Specifically, an <md:EntityDescriptor>
element that contains an <md:AffiliationDescriptor>
child element is handled in exactly the same way as an <md:EntityDescriptor>
element that contains no role descriptors. That is, if removeRolelessEntityDescriptors
is true (which it is by default), both are removed from the input.
A quick fix that preserves any affiliation descriptors in the input is to set removeRolelessEntityDescriptors
to false on the EntityRole
filter. However, this also prevents truly “roleless” entity descriptors from being removed, which may have a negative impact on memory utilization. A workaround is to use both an EntityRole
filter and a Predicate
filter, in sequence.
The following filter sequence is a complete replacement for the above EntityRole
filter:
Retain SP roles while preserving affiliation descriptors
Note that removeRolelessEntityDescriptors
is set to false on the EntityRole
filter, which runs first. The Predicate
filter then removes the “roleless” entity descriptors from its input without disturbing the affiliation descriptors (if any).