AttributeInMetadata type describes a Matcher that filters results based upon any
<md:RequestedAttribute> elements in the metadata for the
AttributeConsumingService for the request. The parameterization controls
- Whether the
RequestedAttributeis mapped directly or not (
- What the behavior is if the ACS has no requested Attributes. (
- What the behavior is with respect to the
isRequiredXML attribute on the
<md:RequestedAttribute>element (if any)
- Whether this is a Matcher or a PolicyRule (
AttributeInMetadata type is defined by the
urn:mace:shibboleth:2.0:afp:mf schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd.
Prior to release 3.2.0 the
saml:SAMLAttributeInMetadata type is defined by the
urn:mace:shibboleth:2.0:afp:mf:saml schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-saml.xsd. Use of this namespace is deprecated, but is supported.
|String||optional||If this attribute is present, a |
If this attribute is present, provides additional filtering of the
Use of the
|boolean||false||If the value of this attribute is true, then all input values are returned if the metadata contains no |
true (erroneously false in release prior to 3.2, see here)
|If the value of this attribute is true, and the |
|String||optional||If this attribute is present, then this is a PolicyRule returning true if the Matcher, when applied to the attribute with this ID, matches any values. See AttributeValueString for an exmaple of how attributeID changes the meaning of a Matcher in a slightly less daunting environment.|
Value matching is purely string based. Only string attribute values of the input attribute are inspected and they are compared with a string representation of each of the values in the
RequestedAttribute. Only matching values are added to the Permit or Deny List.
AttributeInMetadata or MappedAttributeInMetadata?
MappedAttributeInMetadata are both matchers with significant overlap. In practice, use
AttributeInMetadata if you require to coerce the
MappedAttributeInMetadata if you need to compare non-string values, or are concerned about the extra costs of constantly performing the lookup in the metadata.
Suppose an SP has the following requested attributes in metadata:
Then an IdP with the following configuration will release the indicated wire attributes to the above SP:
Such an IdP will not release attributes to an SP unless the indicated requested attributes are in SP metadata.
Now suppose an SP has the following requested attributes in metadata:
Then two IdPs with the following configurations will release the indicated wire attributes to the above SP:
Note that both IdPs have an attribute release policy that relies on the same set of requested attributes, but the requested attributes are mapped to different wire attributes in each case.