group-based attribute release policy

Guillaume Rousse guillaume.rousse at
Mon Jun 20 15:13:33 UTC 2022


When using federation XML metadata files (FileBackedHTTPMetadataProvider 
type metadata provider), it is quite easy to define a group-based 
attribute release policy, using Name attribute of top-level 
EntitiesDescriptor element, ie:

<AttributeFilterPolicy id="ferFilter">
   <PolicyRequirementRule xsi:type="InEntityGroup" 

However, when using different types of metadata sources, such as 
DynamicHTTPMetadataProvider or LocalDynamicMetadataProvider, which split 
a set of entities into individual entity metadata, this doesn't work 
anymore, as there is no more top-level EntitiesDescriptor element.

In order to implement a similar policy, we switched to 
RegistrationAuthority criteria. This works well in most cases, but 
doesn't allow to make a difference between multiple federations from the 
same registration autority (for instance, test and production federations).

We considered introducing a new member-of member-of attribute, such as:

And then use it in attribute filter policy:
<AttributeFilterPolicy id="ferFilter">
     attributeValue="https://my.federation/" />

But maybe there is a simpler solution ? For instance, using the id 
attribute of MetadataProvider element ?

Guillaume Rousse
Direction des Services Applicatifs
Tel: +33 1 53 94 20 45

More information about the users mailing list