example of <DiscoveryFilter>

Cantor, Scott cantor.2 at osu.edu
Tue Feb 11 17:07:51 EST 2014


On 2/11/14, 4:19 PM, "Tom Scavo" <trscavo at gmail.com> wrote:

>That's helpful, thanks. If I wanted to whitelist additional entities
>(in addition to those above), I would just add one or more
><RelyingParty> elements. I assume order doesn't matter, that is, any
>number of <saml:Attribute> elements and <RelyingParty> elements could
>be added to the whitelist in any order, correct?

No, the type of matcher dictates the kind of rules you can use, and
there's only one type of matcher permitted in each filter, so no way to
combine them except in separate filters.

RelyingParty elements aren't involved. That's an example of something that
uses the EntityMatcher extension point. If you want to filter by name, you
just have a Name attribute in the Filter element itself.

I don't think there's any way to do that in fact, you can't chain
whitelists  that don't overlap (see below).

>So you could have two <DiscoveryFilter> elements back-to-back, one a
>whitelist and the other a blacklist. In that case, I would think order
>*would* matter, right?

Yes, the evaluator short-circuits. If any filter in sequence doesn't allow
inclusion, it's skipped. So it's not necessarily going to be workable to
do certain things.

-- Scott




More information about the users mailing list