MappedAttributeInMetadata type describes a Matcher which filters results based upon any RequiredAttributes accociated with the Metadata for the AttributeConsumingService for the request.
In contrasts to the
saml:SAMLAttributeInMetadata type, the attribute values are compared as native IdP attribute values. That is to say, when the SAML metadata is loaded, the RequestedAttributes are interrogated and the attribute encoding defined by the AttributeEncoders is reversed. This means that
- Any Attribute Value type can be compared (programmatically speaking the comparison is delegated to the implementation of the AttributeValue)
- The cost of applying the mapping from RequestedAttributes is encountered once, when the metadata is loaded (and that in a background thread) as opposed to being done every time the Matcher is encountered.
- All potential mappings of the RequestedAttribute are available for comparison (rather than just the first one found which matches)
The parameterization controls
- What the behavior is if the ACS has no requested Attributes. (matchIfMetadataSilent)
- What the behavior is with respect to the isRequired Attribute inside the RequestedAttribute
- Whether this is a Matcher or a PolicyRule (attributeID)
MappedAttributeInMetadata type is defined by the
urn:mace:shibboleth:2.0:afp schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd.
Prior to release 3.2.0 the
basic:AttributeRequesterRegex type is defined by the
urn:mace:shibboleth:2.0:afp:mf:basic schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-basic.xsd.
Use of that namespace is deprecated, but is supported.
|matchIfMetadataSilent||boolean||false||If true then all input values are returned if the Metadata for the ACS contains no RequestedAttributes. This attribute has no effect if the ACS contains some RequestedAttributes|
|onlyIfRequired||boolean||true (erroneously false prior to 3.2, see here)||If this is true and RequestedAttribute does not specify |
|attributeID||String||optional||If this is present then this is a PolicyRule returning true if the Matcher, when applied to the attribute with this ID, matches any values.|
See AttributeValueString for an exmaple of how attributeID changes the meaning of a Matcher in a slightly less daunting environment
As mentioned above, value matching is delegated to the AttributeValue implementation, allowing a wider level of comparison
AttributeInMetadata or MappedAttributeInMetadata?
MappedAttributeInMetadata are matchers with significant overlap. In practice, use AttributeInMetadata if you require to coerce the attributeName or attributeNameFormat and MappedAttributeInMetadata if you need to compare non string values, or are concerned about the extra costs of constantly performing the lookup in the ACS.