IdP - EntityAttributes - Predicate - Regex filter for federation SPs

Tom Scavo trscavo at gmail.com
Fri Jul 13 08:38:34 EDT 2018 

On Fri, Jul 13, 2018 at 7:47 AM, Martin Lunze
<martin.lunze at tu-dresden.de> wrote:
>
> I have changed my config now to use one single LocalDynamicMetadataProvider
> instead of one separatly FilesystemMetadataProvider for every SP.
>
>>         <MetadataProvider id="LOCALMD"
>>                 xsi:type="LocalDynamicMetadataProvider"
>>                 sourceDirectory="%{idp.home}/metadata/local">
>>                 <MetadataFilter xsi:type="EntityAttributes">
>>                         <saml:Attribute
>> Name="https://tu-dresden.de/entity-type"
>> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>>
>> <saml:AttributeValue>https://tu-dresden.de/entity-type/local</saml:AttributeValue>
>>                         </saml:Attribute>
>> <ConditionRef>always-true</ConditionRef>
>>                 </MetadataFilter>
>>         </MetadataProvider>

Martin, this is a great example. Would you mind adding it to the
EntityAttributesFilter [1] wiki page?

Here's a tip for the archive. Instead of referencing an external bean
with <ConditionRef>, in V3.4 one can use <ConditionScript> as well:

<ConditionScript>
    <Script>
    <![CDATA[
        (function (entity) { return true; }(input));
    ]]>
    </Script>
</ConditionScript>

This does the same thing as your external bean "always-true" but an
inline script leads to a self-contained example that is more
transparent.

> Works great and should be a bit less work for me for the future, because i
> did not have to write all the necessary config if a new SP occurs.

Yes, that is why LocalDynamicMetadataProvider is recommended. (Archive
readers should refer to the MetadataManagementBestPractices [2]
topic.)

> Still saving his metadata in the directory and give it the name of the
> SHA1-Hash of the depending entityID.
>
> Still looks a bit strange, all this hashes in the directory :-)

May I ask what tools are you using to manage the files in the sourceDirectory?

Thanks Martin.

Tom

[1] EntityAttributesFilter https://wiki.shibboleth.net/confluence/x/ZgMnAQ
[2] MetadataManagementBestPractices
https://wiki.shibboleth.net/confluence/x/JQXKAg

More information about the users mailing list