Page tree

Previous Stable Release

Please note that the V3 release branch is now the previous stable release, with the current stable releases from the V4 branch.
Support for V3 will end on Dec 31, 2020.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

This feature requires V3.3 and above.

A filter of type NameIDFormat adds SAML <md:NameIDFormat> elements to metadata in order to drive software behavior (primarily Name Identifier format selection).

Sequences of string-valued <Format> elements are supplied as filter content. When an <Entity> or <ConditionRef> (or in V3.4+ <ConditionScript>) is encountered as metadata is processed, the formats are applied to all the recognized format-supporting roles of the corresponding entities. The filter does not have the capability to limit the roles to which formats will be attached.

Filter order is important!

This filter changes the content of the metadata and so a filter of type NameIDFormat should appear after any SignatureValidationFilter in the overall MetadataProvider.

Schema

The <MetadataFilter> element and the type NameIDFormat are defined by the urn:mace:shibboleth:2.0:metadata schema, which can be located at http://shibboleth.net/schema/idp/shibboleth-metadata.xsd.

Attributes

None.

Child Elements

 Any of the following can be supplied in any order.

NameDescription
<Format>Content is name identifier format which is added to all the applicable roles of the entities which match any of the following <Entity> or <ConditionRef> elements.
<Entity>The textual content is an EntityID. All preceding formats are added to applicable roles of the entity with this ID.
<ConditionRef>      

The textual content is the Bean ID of a Predicate<EntityDescriptor>. All preceding formats are added to the roles of the entities for which this returns true.

<ConditionScript> 3.4

The content of this element is an inline or local script resource that implements Predicate<EntityDescriptor>. All preceding formats are added to the entities for which this returns true.

Examples

 The example will add the "persistent" format to the first entity, and both the "persistent" and "email" formats to the second.

Add NameIDFormat elements to metadata
<MetadataFilter xsi:type="NameIDFormat">
	<Format>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</Format>
	<Entity>https://sp1.example.org</Entity>
	<Format>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</Format>
	<Entity>https://sp2.example.org</Entity>
</MetadataFilter>

The following example using new features specific to V3.4 is similar, but the specification of the entities to apply the formats to is handled with inline scripts. Obviously these scripts aren't particularly useful but they demonstrate the syntax.

V3.4+: Use of scripts
<MetadataFilter xsi:type="NameIDFormat">
	<Format>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</Format>
	<ConditionScript>
	    <Script>
	    <![CDATA[
		    input.getEntityID().equals("https://sp1.example.org");
	    ]]>
	    </Script>
	</ConditionScript>
	<Format>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</Format>
	<ConditionScript>
	    <Script>
	    <![CDATA[
		    input.getEntityID().equals("https://sp2.example.org");
	    ]]>
	    </Script>
	</ConditionScript>
</MetadataFilter>
  • No labels