Shortcut for releasing attributes requested in metadata

Wessel, Keith kwessel at
Tue Jan 25 15:34:43 UTC 2022

Thanks, Scott. I had considered doing entity attributes corresponding to each attribute or, when appropriate, sets of attributes. But I came down to the same conclusion you stated: it's really six of one, a half dozen of the other.

And thanks for confirming that I'm taking the right route here. I've got lots of attribute filter definitions that have built up over the past 10+ years, and it makes for a lengthy attribute-filter.xml.


-----Original Message-----
From: users <users-bounces at> On Behalf Of Cantor, Scott
Sent: Tuesday, January 25, 2022 6:49 AM
To: Shib Users <users at>
Subject: Re: Shortcut for releasing attributes requested in metadata

On 1/24/22, 10:09 PM, "users on behalf of Wessel, Keith" <users-bounces at on behalf of kwessel at> wrote:

> Is there any shortcut for that? Or is that the only way to do it? I 
> can't think of a way to simply tell the IdP to release any attribute requested in metadata for a given metadata source.

The policy language designed in Shibboleth V2+ doesn't allow for that, there has to be an AttributeRule in the policy and they have to identify the Attribute involved.

> And, for that matter, is there any reason I shouldn't take this route 
> that anyone can think of before I manage to shoot myself in the foot?

We went with EntityAttribute tags in our examples so that the GUI project would have a consistent approach to follow but there's ultimately not much difference in how it looks or works, both are essentially the same idea. Yes, you should use metadata, however you do it. A new filter policy should only be needed for unusual cases like value filtering or when adding new attributes.

-- Scott

For Consortium Member technical support, see;!!DZ3fjg!tBh7VwzpnsBCCZfUzpRrGudnjCceopyIh4p5TKhphHipOtLXUD0VvwRDvaG0-u3MCg$
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list