/
IssuerProtocolSupportConfiguration

IssuerProtocolSupportConfiguration

Owned by Rod Widdowson
Apr 10, 2025
1 min read

Namespace: urn:mace:shibboleth:2.0:afp
Schema: http://shibboleth.net/schema/idp/shibboleth-afp.xsd

This feature requires V5.2+ of the software.

Overview

The ProtocolSupport type is a PolicyRule that returns true if and only if the protocolSupportEnumeration attribute inside the “role” element (generally an IDPSSODescriptor) in the SAML metadata for the requester contains a value matching the supplied protocol XML Attribute in the rule.

While this attribute is more typically used to advertise the identity protocols supported by the requester (e.g., SAML 2.0, OpenID), it is an arbitrary list of URIs and so it can in principle contain any data one might like, and so act as a general signal for policy. In effect, it’s somewhat like an EntityAttributes “tag” with an implicit name, and because it appears at the “role” level, it can be specific to a role rather than the entity as a whole. For example a proxy could have a different (or absent) value when acting as an SP and IdP, which is not possible with tags.

Reference

The following XML Attribute is required:

Name

Type

Description

Name

Type

Description

protocol

URI

The protocol to match

Example

The above policy would match the protcol in the metadata below:

<PolicyRequirementRule xsi:type="IssuerProtocolSupport" policy="https://example.org/custom" />

 

[...] <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol https://example.org/custom"> [...]

Related content