Page tree
Skip to end of metadata
Go to start of metadata

Overview

The MappedAttributeInMetadata  type describes a Matcher which filters results based upon any RequiredAttributes accociated with the Metadata for the AttributeConsumingService for the request.  

In contrasts to the saml:SAMLAttributeInMetadata type, the attribute values are compared as native IdP attribute values.  That is to say, when the SAML metadata is loaded, the RequestedAttributes are interrogated and the attribute encoding defined by the AttributeEncoders is reversed.  This means that

  • Any Attribute Value type can be compared (programmatically speaking the comparison is delegated to the implementation of the AttributeValue)
  • The cost of applying the mapping from RequestedAttributes is encountered once, when the metadata is loaded (and that in a background thread) as opposed to being done every time the Matcher is encountered.
  • All potential mappings of the RequestedAttribute are available for comparison (rather than just the first one found which matches)

The parameterization controls

  • What the behavior is if the ACS has no requested Attributes. (matchIfMetadataSilent)
  • What the behavior is with respect to the isRequired Attribute inside the RequestedAttribute
  • Whether this is a Matcher or a PolicyRule (attributeID)

The MappedAttributeInMetadata is a Matcher which consults RequestedAttributes.

For a PolicyRule which consults EntityAttributes (associated with the SAML2 Metadata Entity for the SP) use EntityAttributeExact or EntityAttributeRegex 

Schema Name

The MappedAttributeInMetadata  type is defined by the urn:mace:shibboleth:2.0:afp schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-afp.xsd.

Prior to release 3.2.0 the basic:AttributeRequesterRegex  type is defined by the urn:mace:shibboleth:2.0:afp:mf:basic schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-afp-mf-basic.xsd.

Use of that namespace is deprecated, but is supported.

Attributes

NameTypeDefaultDescription
    
matchIfMetadataSilentbooleanfalseIf true then all input values are returned if the Metadata for the ACS contains no RequestedAttributes. This attribute has no effect if the ACS contains some RequestedAttributes
onlyIfRequiredbooleantrue (erroneously false prior to 3.2, see here)If this is true and RequestedAttribute does not specify isRequired="true", then no values are matched
attributeIDStringoptionalIf this is present then this is a PolicyRule returning true if the Matcher, when applied to the attribute with this ID, matches any values.
See AttributeValueString for an exmaple of how attributeID changes the meaning of a Matcher in a slightly less daunting environment

 

As mentioned above, value matching is delegated to the AttributeValue implementation, allowing a wider level of comparison

AttributeInMetadata or MappedAttributeInMetadata?

AttributeInMetadata and MappedAttributeInMetadata are matchers with significant overlap. In practice, use AttributeInMetadata if you require to coerce the attributeName or attributeNameFormat and MappedAttributeInMetadata if you need to compare non string values, or are concerned about the extra costs of constantly performing the lookup in the ACS.

Child Elements

None

Example

<PermitValueRule xsi:type="MappedAttributeInMetadata" id="PermitRule" onlyIfRequired="true" matchIfMetadataSilent="true"/>
  • No labels