Page tree

The Shibboleth 2.x software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP30 and SP3 wiki spaces for current documentation on the supported versions.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

The <MetadataFilter> element configures a filter that examines metadata supplied by a metadata provider and deletes it if it fails to satisfy the filter's requrements.

Filters are generally used to impose additional security requirements on metadata.

Common Attributes

  • type (string)
    • Name of plugin type.

Signature MetadataFilter

Identified by type="Signature", validates any XML Signatures found in the metadata according to trust information configured into the filter. Embedded signatures are checked, but a primary signature over the metadata instance as a whole MUST be present.

<MetadataFilter type="Signature" key="signer.pem"/>

A variety of configuration options can be used, but they are mutually exclusive.

Attributes

  • key (local pathname)
    • Path to a public key to use to verify signature(s).
  • certificate (local pathname)
    • Path to a certificate containing a public key to use to verify signature(s). The certificate's other content is ignored.

Child Elements

  • <CredentialResolver>
    • Used to resolve public keys to use while verifying signatures. The shorthand attribute syntax above is simpler to use for a single key, but a Chaining resolver can be used to supply multiple signing keys to the filter.
  • <TrustEngine>
    • Allows signatures to be validated using the more comprehensive trust engine interface, which allows for a richer interpretation of signature and key information.

Whitelist MetadataFilter

Identified by type="Whitelist", deletes metadata for any entity not listed inside the plugin's configuration.

<MetadataFilter type="Whitelist">
    <Include>https://sp.goodguy.com/shibboleth</Include>
</MetadataFilter>

Child Elements

  • <Include>(zero or more)
    • The element's content is matched against each entityID found in the source metadata and only matching entities are kept.

Blacklist MetadataFilter

Identified by type="Blacklist", deletes metadata for any entity or entity group listed inside the plugin's configuration.

<MetadataFilter type="Blacklist">
    <Exclude>https://sp.badguy.com/shibboleth</Exclude>
</MetadataFilter>

Child Elements

  • <Exclude>(zero or more)
    • The element's content is matched against each entityID or group Name found in the source metadata and only matching entities are kept. When groups are excluded, all children of the group are excluded without further examination by any filters.
  • No labels