Very slow processing of attribute-filter.xml with many AttributeFilterPolicy elements

Lukas Hämmerle lukas.haemmerle at switch.ch
Thu Nov 27 07:45:32 EST 2014 

On 27.11.14 11:21, Peter Schober wrote:
> Jfyi, back when I manually managed filters for Univie's internal SPs
> that was what I usually did, as it was clear we'd have more SPs than
> we'd have attributes to release, i.e. this makes for fewer rules to
> manage.
> (At the cost of someone wanting to see what a specific SP will get
> having to look for multiple occurances of that SP's entityID in the
> filter.)

Another option we are thinking about is to create rules for attribute
bundles. This then would reduce the number of AttributeFilterPolicy
while keeping the possibility to easily see which attributes a
particular SP gets:

> <AttributeFilterPolicy id="bundle-email-givenName-sn>
>  <PolicyRequirementRule xsi:type="basic:OR">
>   <basic:Rule xsi:type="basic:AttributeRequesterString"
>     value="https://service.example1.edu/shibboleth-sp" />
>   <basic:Rule xsi:type="basic:AttributeRequesterString"
>     value="https://service.example2.edu/shibboleth-sp" />
>   [...]
>   <basic:Rule xsi:type="basic:AttributeRequesterString"
>     value="https://service.exampleN.edu/shibboleth-sp" />
>  </PolicyRequirementRule>
>
>  <AttributeRule attributeID="email">
>    <PermitValueRule xsi:type="basic:ANY" />
>  </AttributeRule>
>  <AttributeRule attributeID="givenName">
>    <PermitValueRule xsi:type="basic:ANY" />
>  </AttributeRule>
>  <AttributeRule attributeID="sn">
>    <PermitValueRule xsi:type="basic:ANY" />
>  </AttributeRule>
>
> </AttributeFilterPolicy>

Looking at the around 1900 SWITCHaai+eduGAIN SPs our
interfederation-enabled IdPs currently load, it seems that are "only"
about 378 different attribute sets (of required and optional attribute
combinations). Looking only at required attributes, it would be around
240 such attribute sets.


Best Regards
Lukas


-- 
SWITCH
Lukas Hämmerle, Central Solutions
GÉANT Project Task Leader "Enabling Users"
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 05, direct +41 44 268 15 64
lukas.haemmerle at switch.ch, http://www.switch.ch

More information about the users mailing list