IdP - EntityAttributes - Predicate - Regex filter for federation SPs
Tom Scavo
trscavo at gmail.com
Mon Jul 16 18:05:50 EDT 2018
On Fri, Jul 13, 2018 at 7:47 AM, Martin Lunze
<martin.lunze at tu-dresden.de> wrote:
>
> I have changed my config now to use one single LocalDynamicMetadataProvider
> instead of one separatly FilesystemMetadataProvider for every SP.
>
>> <MetadataProvider id="LOCALMD"
>> xsi:type="LocalDynamicMetadataProvider"
>> sourceDirectory="%{idp.home}/metadata/local">
>> <MetadataFilter xsi:type="EntityAttributes">
>> <saml:Attribute
>> Name="https://tu-dresden.de/entity-type"
>> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
>>
>> <saml:AttributeValue>https://tu-dresden.de/entity-type/local</saml:AttributeValue>
>> </saml:Attribute>
>> <ConditionRef>always-true</ConditionRef>
>> </MetadataFilter>
>> </MetadataProvider>
Martin, I'm afraid this is not bulletproof since entity attributes
with this name can sneak in via other entity providers. To prevent
this, you need to add the following filter to your
FileBackedHTTPMetadataProvider:
<MetadataFilter xsi:type="EntityAttributes">
<AttributeFilterScript>
<Script>
<![CDATA[
(function (attribute) {
// remove any entity attribute with the following name
return !
attribute.getName().equals("https://tu-dresden.de/entity-type");
}(input));
]]>
</Script>
</AttributeFilterScript>
</MetadataFilter>
Unfortunately the AttributeFilterScript feature is expected to be
introduced in V3.4. Maybe someone else knows how to do this without
AttributeFilterScript.
Tom
More information about the users
mailing list