Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

Attribute In Metadata Matching Rule

This matching rule evaluates to true if the attribute requester's metadata contains a <RequestedAttribute> element matching a designated attribute (since v2.4).

This filter requires that the metadata for the attribute requester is loaded and available. It looks for an <AttributeConsumingService> element in the SP's metadata that corresponds to the authentication request (either by default or by explicit reference via an AttributeConsumingServiceIndex attribute in the request message). Matching then proceeds based on the contents of that element.

Limited support is provided for value matching. Using simple <AttributeValue> elements in metadata works to filter specific values of matched attributes.

Define the Rule

This matching rule cannot be used in a policy requirement rule, only in attribute rules.

This rule is defined by the element <PermitValueRule xsi:type="saml:AttributeInMetadata">, for permit value rules, with the following optional attributes:

  • onlyIfRequired - match only if the requested attribute is flagged in the metadata as isRequired, defaults to true
  • matchIfMetadataSilent - match if the metadata contains no <AttributeConsumingService> element at all, defaults to false.
Code Block
titleExample Permit Rule using the AttributeInMetadata Function
<AttributeRule attributeID="eduPersonPrincipalName">
  <PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>

A more complete example is found elsewhere in this wiki.