The <MetadataFilter> element configures a filter that examines metadata supplied by a metadata provider and deletes it if it fails to satisfy the filter's requrements.

Filters are generally used to impose additional security requirements on metadata.

Common Attributes


Signature MetadataFilter

Identified by type="Signature", validates any XML Signatures found in the metadata according to trust information configured into the filter. Embedded signatures are checked, but a primary signature over the metadata instance as a whole MUST be present.

<MetadataFilter type="Signature" key="signer.pem"/>

A variety of configuration options can be used, but they are mutually exclusive.

Attributes

Version 2.1 and Above

Child Elements


Whitelist MetadataFilter

Identified by type="Whitelist", deletes metadata for any entity not listed inside the plugin's configuration.

<MetadataFilter type="Whitelist">
    <Include>https://sp.goodguy.com/shibboleth</Include>
</MetadataFilter>

Child Elements


Blacklist MetadataFilter

Identified by type="Blacklist", deletes metadata for any entity or entity group listed inside the plugin's configuration.

<MetadataFilter type="Blacklist">
    <Exclude>https://sp.badguy.com/shibboleth</Exclude>
</MetadataFilter>

Child Elements


RequireValidUntil MetadataFilter (Version 2.1 and Above)

Identified by type="RequireValidUntil", rejects metadata whose root element does not contain a validUntil attribute, or whose validity period exceeds a threshold.

<MetadataFilter type="RequireValidUntil" maxValidityInterval="604800"/>

Attributes