The <MetadataFilter>
element configures a filter that examines metadata supplied by a metadata provider and deletes it if it fails to satisfy the filter's requrements.
Filters are generally used to impose additional security requirements on metadata.
Common Attributes
type
(string)- Name of plugin type.
Signature MetadataFilter
Identified by type="Signature"
, validates any XML Signatures found in the metadata according to trust information configured into the filter. Embedded signatures are checked, but a primary signature over the metadata instance as a whole MUST be present.
<MetadataFilter type="Signature" key="signer.pem"/>
A variety of configuration options can be used, but they are mutually exclusive.
Attributes
certificate
(local pathname)- Path to a certificate containing a public key to use to verify signature(s). The certificate's other content is ignored.
Version 2.1 and Above
verifyRoles
(boolean) (defaults to false)- If true, every entity's nested role or affiliation descriptor elements will be examined, and if signed, also verified. This introduces significant overhead to loading large metadata files, and such signing is unusual, so this is off by default.
verifyName
(boolean) (defaults to true)- If false, and a trust engine is configured for verification (see below), then the name of the signing certificate is ignored in the case of trust engines that would otherwise require checking of credential names. This is usually a dangerous option to disable.
Child Elements
<CredentialResolver>
(optional)- Used to resolve public keys to use while verifying signatures. The shorthand attribute syntax above is simpler to use for a single key, but a Chaining resolver can be used to supply multiple signing keys to the filter.
<TrustEngine>
(optional)- Allows signatures to be validated using the more comprehensive trust engine interface, which allows for a richer interpretation of signature and key information. By default, the name of the entity over which a signature is being verified is used as the required certificate name for trust engines that verify credential names.
Whitelist MetadataFilter
Identified by type="Whitelist"
, deletes metadata for any entity not listed inside the plugin's configuration.
<MetadataFilter type="Whitelist"> <Include>https://sp.goodguy.com/shibboleth</Include> </MetadataFilter>
Child Elements
<Include>
(zero or more)- The element's content is matched against each
entityID
found in the source metadata and only matching entities are kept.
- The element's content is matched against each
Blacklist MetadataFilter
Identified by type="Blacklist"
, deletes metadata for any entity or entity group listed inside the plugin's configuration.
<MetadataFilter type="Blacklist"> <Exclude>https://sp.badguy.com/shibboleth</Exclude> </MetadataFilter>
Child Elements
<Exclude>
(zero or more)- The element's content is matched against each
entityID
or groupName
found in the source metadata and only matching entities are kept. When groups are excluded, all children of the group are excluded without further examination by any filters.
- The element's content is matched against each
RequireValidUntil MetadataFilter (Version 2.1 and Above)
Identified by type="RequireValidUntil"
, rejects metadata whose root element does not contain a validUntil
attribute, or whose validity period exceeds a threshold.
<MetadataFilter type="RequireValidUntil" maxValidityInterval="604800"/>
Attributes
maxValidityInterval
(time in seconds) (defaults to 604800, seven days)- Maximum permitted delta between the current time and the expiration of the metadata.
EntityRoleWhiteList MetadataFilter (Version 2.2 and Above)
Identified by type="EntityRoleWhiteList"
, removes unneeded/irrelevant role information from metadata to save memory.
<MetadataFilter type="EntityRoleWhiteList"> <RetainedRole>md:IDPSSODescriptor</RetainedRole> </MetadataFilter>
Attributes
removeRolelessEntityDescriptors
(boolean) (defaults to true)- If true, then any subordinate EntityDescriptor objects are removed if they don't contain any roles after filtering.
removeEmptyEntitiesDescriptors
(boolean) (defaults to true)- If true, then any subordinate EntitiesDescriptor objects are removed if they don't contain any child entities or groups after filtering.
Child Elements
RetainedRole
(one or more)- Contains the qualified element or type name of a role to retain.