Filtering for EntityAttributes does not work (SP 2.5)

Richard M. Zahoransky richard.zahoransky at rz.uni-freiburg.de
Thu Nov 29 10:33:14 EST 2012 

Hello list,

at our university we are using shibboleth. We are planning updating to 
SP version 2.5 because we see a need for Entity-Attributes. On the SP we 
want to whitelist IdP which have a certain EntityAttribute. The others 
should be ignored.

In shibboleth2.xml I enabled a whitelist filter with EntityAttributes 
matcher. I also updatet the metadata so that they hold the needed 
attributes.

However, shibd says it drops every entity because it is not whitelisted.

I have tried the following inside shibboleth2.xml:

        <MetadataProvider type="XML" file="filtertest.xml">
            <MetadataFilter type="Whitelist" matcher="EntityAttributes">
                <saml:Attribute Name="http://url/attribute/entity/category"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml:AttributeValue>http://url/category/ourcategory</saml:AttributeValue>
                </saml:Attribute>
             </MetadataFilter>
         </MetadataProvider>


and inside the metadata I have:

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="https://ouridp/idp/shibboleth"xmlns:ds=...>
    <IDPSSODescriptor
        protocolSupportEnumeration=...>
        <Extensions>
            <shibmd:Scope regexp="false">uni-freiburg.de</shibmd:Scope>
            <mdattr:EntityAttributes 
xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
                <saml:Attribute 
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
                 Name="http://url/attribute/entity/category">
<saml:AttributeValue>http://url/category/ourcategory</saml:AttributeValue>
                </saml:Attribute>
            </md:EntityAttributes>
        </Extensions>
        ...

shibd-log:

2012-11-29 14:07:15 INFO OpenSAML.MetadataProvider.XML : loaded XML 
resource (filtertest.xml)
2012-11-29 14:07:15 INFO OpenSAML.Metadata : applying metadata filter 
(Whitelist)
...
2012-11-29 14:07:15 INFO OpenSAML.MetadataFilter.Whitelist : filtering 
out non-whitelisted entity (https://ouridp/idp/shibboleth)

can someone please provide some help/feedback?

Greetings,
Richard

More information about the users mailing list