The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

IdPFilterRequirementAttributeInMetadata

Owned by Scott Cantor
Last updated: Feb 26, 2015 by trscavo@internet2.edu

Attribute In Metadata Matching Rule

This matching rule evaluates to true if the attribute requester's metadata contains a <RequestedAttribute> element matching a designated attribute (since v2.4).

This filter requires that the metadata for the attribute requester is loaded and available. It looks for an <AttributeConsumingService> element in the SP's metadata that corresponds to the authentication request (either by default or by explicit reference via an AttributeConsumingServiceIndex attribute in the request message). Matching then proceeds based on the contents of that element.

Limited support is provided for value matching. Using simple <AttributeValue> elements in metadata works to filter specific values of matched attributes.

Define the Rule

This matching rule cannot be used in a policy requirement rule, only in attribute rules.

This rule is defined by the element <PermitValueRule xsi:type="saml:AttributeInMetadata">, for permit value rules, with the following optional attributes:

  • onlyIfRequired - match only if the requested attribute is flagged in the metadata as isRequired, defaults to true
  • matchIfMetadataSilent - match if the metadata contains no <AttributeConsumingService> element at all, defaults to false.
  • attributeName - match if an attribute with the given name is listed in SP metadata (version 2.4.3 and later)
  • attributeNameFormat - match if an attribute with the given format is listed in SP metadata (version 2.4.3 and later)
Example Permit Rule using the AttributeInMetadata Function
<AttributeRule attributeID="eduPersonPrincipalName">
  <PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>
</AttributeRule>

In version 2.4.3 and later, you can also include attributeName and attributeNameFormat attributes that specify a SAML Attribute to match on that is not the same as the one that is derived by examining the encoders configured for the attribute you're trying to release. In other words, in the above example, you could add attributeName="https://example.com/customAttribute" to release eduPersonPrincipalName if a custom attribute name is requested in metadata. In the following example, the eduPersonTargetedID attribute is released if the eduPersonPrincipalName attribute (urn:oid:1.3.6.1.4.1.5923.1.1.1.6) is listed in SP metadata:

Another Use of the AttributeInMetadata Function
<AttributeRule attributeID="eduPersonTargetedID">
  <PermitValueRule xsi:type="saml:AttributeInMetadata" attributeName="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"/>
</AttributeRule>

More complete examples are found elsewhere in this wiki.