IdP - EntityAttributes - Predicate - Regex filter for federation SPs

Martin Lunze martin.lunze at tu-dresden.de
Fri Jul 20 02:03:14 EDT 2018 

Hi Scott, hi Tom,

thanks again for all your time and helping notices, it's great to have 
such people like you.

I understand the problem Tom and i will use the additionally filter to 
remove such possible entityAttributes in all other metadata where i do 
not want them :-)
But if i understand Scott correctly, than removing entityAttributes is 
at the moment not possible?

Will it be possible in version 3.4 of IdP, like the documentation [1] 
suggerates?

With nice regards.
Martin

[1] 
https://wiki.shibboleth.net/confluence/display/IDP30/EntityAttributesFilter#EntityAttributesFilter-Removeentityattributesfrommetadata

Am 17.07.2018 um 01:52 schrieb Cantor, Scott:
>> Unfortunately the AttributeFilterScript feature is expected to be introduced
>> in V3.4. Maybe someone else knows how to do this without
>> AttributeFilterScript.
> The filter had no capability to remove existing tags until I added that as a safety net. If you control your metadata sources well enough, that's mostly a nicety, not that essential. If not, you probably have bigger problems. It really depends what you use them to do. If a tag turned on assertion signing or something like that, do I care really? Probably not.
>
> -- Scott
>
Am 17.07.2018 um 00:05 schrieb Tom Scavo:
> Martin, I'm afraid this is not bulletproof since entity attributes
> with this name can sneak in via other entity providers. To prevent
> this, you need to add the following filter to your
> FileBackedHTTPMetadataProvider:
>
> <MetadataFilter xsi:type="EntityAttributes">
>      <AttributeFilterScript>
>          <Script>
>          <![CDATA[
>              (function (attribute) {
>                  // remove any entity attribute with the following name
>                  return !
> attribute.getName().equals("https://tu-dresden.de/entity-type");
>              }(input));
>          ]]>
>          </Script>
>      </AttributeFilterScript>
> </MetadataFilter>
>
> Unfortunately the AttributeFilterScript feature is expected to be
> introduced in V3.4. Maybe someone else knows how to do this without
> AttributeFilterScript.
>
> Tom

-- 
Martin Lunze
IT-Systemadministrator

Technische Universität Dresden
Zentrum für Informationsdienste und Hochleistungsrechnen (ZIH)
Operative Prozesse und Systeme (OPS)
01062 Dresden

Tel.: +49 (351) 463-35881
E-Mail: martin.lunze at tu-dresden.de


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5742 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://shibboleth.net/pipermail/users/attachments/20180720/458637f2/attachment.p7s>

More information about the users mailing list