Page tree

The Shibboleth 2.x software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 and SP3 wiki spaces for current documentation on the supported versions.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Attribute In Metadata Matching Rule

This matching rule evaluates to true if the attribute requester's metadata contains a <RequestedAttribute> element matching a designated attribute (since v2.4).

This filter requires that the metadata for the attribute requester is loaded and available. It looks for an <AttributeConsumingService> element in the SP's metadata that corresponds to the authentication request (either by default or by explicit reference via an AttributeConsumingServiceIndex attribute in the request message). Matching then proceeds based on the contents of that element.

Limited support is provided for value matching. Using simple <AttributeValue> elements in metadata works to filter specific values of matched attributes.

Define the Rule

This matching rule cannot be used in a policy requirement rule, only in attribute rules.

This rule is defined by the element <PermitValueRule xsi:type="saml:AttributeInMetadata">, for permit value rules, with the following optional attributes:

  • onlyIfRequired - match only if the requested attribute is flagged in the metadata as isRequired, defaults to true
  • matchIfMetadataSilent - match if the metadata contains no <AttributeConsumingService> element at all, defaults to false.
Example Permit Rule using the AttributeInMetadata Function
<AttributeRule attributeID="eduPersonPrincipalName">
  <PermitValueRule xsi:type="saml:AttributeInMetadata" onlyIfRequired="false"/>

A more complete example is found elsewhere in this wiki.

  • No labels