group-based attribute release policy
Guillaume Rousse
guillaume.rousse at renater.fr
Mon Jun 20 15:13:33 UTC 2022
Hello.
When using federation XML metadata files (FileBackedHTTPMetadataProvider
type metadata provider), it is quite easy to define a group-based
attribute release policy, using Name attribute of top-level
EntitiesDescriptor element, ie:
<AttributeFilterPolicy id="ferFilter">
<PolicyRequirementRule xsi:type="InEntityGroup"
groupID="https://my.federation/"/>
...
</AttributeFilterPolicy>
However, when using different types of metadata sources, such as
DynamicHTTPMetadataProvider or LocalDynamicMetadataProvider, which split
a set of entities into individual entity metadata, this doesn't work
anymore, as there is no more top-level EntitiesDescriptor element.
In order to implement a similar policy, we switched to
RegistrationAuthority criteria. This works well in most cases, but
doesn't allow to make a difference between multiple federations from the
same registration autority (for instance, test and production federations).
We considered introducing a new member-of member-of attribute, such as:
<EntityAttributes>
<Attribute
Name="https://federation.renater.fr/member-of"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<AttributeValue>https:/my.federation/<AttributeValue>
<Attribute>
<EntityAttributes>
And then use it in attribute filter policy:
<AttributeFilterPolicy id="ferFilter">
<PolicyRequirementRule
xsi:type="EntityAttributeExactMatch"
attributeName="https://federation.renater.fr/member-of"
attributeValue="https://my.federation/" />
...
</AttributeFilterPolicy>
But maybe there is a simpler solution ? For instance, using the id
attribute of MetadataProvider element ?
Regards.
--
Guillaume Rousse
Direction des Services Applicatifs
RENATER - Paris
Tel: +33 1 53 94 20 45
More information about the users
mailing list