Duplicate entity attributes being added by EntityAttribute metadata filter

Wessel, Keith kwessel at illinois.edu
Tue Oct 29 16:33:57 EDT 2019 

I reversed them in the same MetadataFilter block, but with unintended and predictable consequences. With the consent entity attribute first and the source entity attribute second, all entities from the MDQ service now get both. This follows the logic from the example on the wiki. Any <saml:Attribute blocks apply to the entitiesa nd conditions that follow, and subsequent <saml:Attribute> blocks don't replace earlier ones within the same filter block. They add to them. So, this block:

	<MetadataFilter xsi:type="EntityAttributes">
	    <saml:Attribute Name="urn:mace:incommon:uiuc.edu:consent">
		<saml:AttributeValue>urn:mace:incommon:uiuc.edu:consent:no-consent-needed</saml:AttributeValue>
	    </saml:Attribute>
	    <Entity>https://sp1.example.org/shibboleth</Entity>
	    <Entity>https://sp2.example.org/shibboleth</Entity>

	    <saml:Attribute Name="urn:mace:incommon:uiuc.edu:source">
		<saml:AttributeValue>urn:mace:incommon:uiuc.edu:source:incommon-mdq</saml:AttributeValue>
	    </saml:Attribute>
	    <ConditionRef>shibboleth.Conditions.TRUE</ConditionRef>
	</MetadataFilter>

Results in all entities returned from the MDQ service getting both entity attributes.

Did I misunderstand what you meant by reversing them?

I'm happyto leave them as separate filters for now. And I'll file that bug.

And yes, Slack is slightly more accessible than Jira. Whereas Jira is near impossible for some of the drop-down menus, Slack is useable. It's just noisy and cluttered.

Keith


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Tuesday, October 29, 2019 3:19 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Duplicate entity attributes being added by EntityAttribute metadata filter

On 10/29/19, 3:47 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:

> Thanks, Scott. Splitting these into two separate MetadataFilter element blocks does, in fact, resolve it.

So would reversing them. If the first condition is the "lesser" one, then the duplication won't matter.

> Does this lead to any less efficient processing? I'm guessing, even if it does, it's negligible.

Not appreciably.

> Would you like me to file a bug? Can't promise that Jira and my screen reader will cooperate enough for me to get it
> into the right area, but I'm certainly willing to try.

I'll get around to it if it's too much trouble. Is Slack any better? I've been meaning to look into some kind of integration there.

-- Scott


-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list