Very slow processing of attribute-filter.xml with many AttributeFilterPolicy elements

Anders Lördal Anders.Lordal at hig.se
Thu Nov 27 07:50:18 EST 2014 

What about going for entity categories?
Then you can define some categories for smaller attribute bundles and then tag the SPs.

Regards
Anders Lördal

-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Lukas Hämmerle
Sent: den 27 november 2014 13:46
To: Shib Users
Subject: Re: Very slow processing of attribute-filter.xml with many AttributeFilterPolicy elements

On 27.11.14 11:21, Peter Schober wrote:
> Jfyi, back when I manually managed filters for Univie's internal SPs
> that was what I usually did, as it was clear we'd have more SPs than
> we'd have attributes to release, i.e. this makes for fewer rules to
> manage.
> (At the cost of someone wanting to see what a specific SP will get
> having to look for multiple occurances of that SP's entityID in the
> filter.)

Another option we are thinking about is to create rules for attribute
bundles. This then would reduce the number of AttributeFilterPolicy
while keeping the possibility to easily see which attributes a
particular SP gets:

> <AttributeFilterPolicy id="bundle-email-givenName-sn>
>  <PolicyRequirementRule xsi:type="basic:OR">
>   <basic:Rule xsi:type="basic:AttributeRequesterString"
>     value="https://service.example1.edu/shibboleth-sp" />
>   <basic:Rule xsi:type="basic:AttributeRequesterString"
>     value="https://service.example2.edu/shibboleth-sp" />
>   [...]
>   <basic:Rule xsi:type="basic:AttributeRequesterString"
>     value="https://service.exampleN.edu/shibboleth-sp" />
>  </PolicyRequirementRule>
>
>  <AttributeRule attributeID="email">
>    <PermitValueRule xsi:type="basic:ANY" />
>  </AttributeRule>
>  <AttributeRule attributeID="givenName">
>    <PermitValueRule xsi:type="basic:ANY" />
>  </AttributeRule>
>  <AttributeRule attributeID="sn">
>    <PermitValueRule xsi:type="basic:ANY" />
>  </AttributeRule>
>
> </AttributeFilterPolicy>

Looking at the around 1900 SWITCHaai+eduGAIN SPs our
interfederation-enabled IdPs currently load, it seems that are "only"
about 378 different attribute sets (of required and optional attribute
combinations). Looking only at required attributes, it would be around
240 such attribute sets.


Best Regards
Lukas


--
SWITCH
Lukas Hämmerle, Central Solutions
GÉANT Project Task Leader "Enabling Users"
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 05, direct +41 44 268 15 64
lukas.haemmerle at switch.ch, http://www.switch.ch
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
[Högskolan i Gävle]

Högskolan i Gävle, 801 76 Gävle • 026 64 85 00 • www.hig.se<http://www.hig.se>

För en hållbar livsmiljö för människan

University of Gävle, SE-801 76 Gävle, Sweden • +46 (0) 26 64 85 00 • www.hig.se<http://www.hig.se>

More information about the users mailing list