The <MetadataFilter> element configures a filter that examines metadata supplied by a metadata provider and adds, modifies, or deletes information depending on the filter's behavior.

Filters are generally used to impose additional security requirements on metadata, or limit the metadata consumed. Others are more advanced and work in conjunction with other software features.

Common Attributes


Signature MetadataFilter

Identified by type="Signature", validates any XML Signatures found in the metadata according to trust information configured into the filter. Embedded signatures are checked, but a primary signature over the metadata instance as a whole MUST be present.

<MetadataFilter type="Signature" certificate="signer.pem"/>

A variety of configuration options can be used, but they are mutually exclusive.

Attributes

Version 2.1 and Above

Child Elements


Whitelist MetadataFilter

Identified by type="Whitelist", deletes metadata for any entity not matched inside the plugin's configuration.

<MetadataFilter type="Whitelist">
    <Include>https://sp.goodguy.com/shibboleth</Include>
</MetadataFilter>
<MetadataFilter type="Whitelist" matcher="EntityAttributes">
    <saml:Attribute Name="http://id.incommon.org/attribute/entity/category"
            NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml:AttributeValue>http://id.incommon.org/category/research-and-scholarship</saml:AttributeValue>
    </saml:Attribute>
</MetadataFilter>

Attributes

Child Elements


Blacklist MetadataFilter

Identified by type="Blacklist", deletes metadata for any entity or entity group listed inside the plugin's configuration.

<MetadataFilter type="Blacklist">
    <Exclude>https://sp.badguy.com/shibboleth</Exclude>
</MetadataFilter>

Attributes

Child Elements


RequireValidUntil MetadataFilter (Version 2.1 and Above)

Identified by type="RequireValidUntil", rejects metadata whose root element does not contain a validUntil attribute, or whose validity period exceeds a threshold.

<MetadataFilter type="RequireValidUntil" maxValidityInterval="604800"/>

Attributes


EntityRoleWhiteList MetadataFilter (Version 2.2 and Above)

Identified by type="EntityRoleWhiteList", removes unneeded/irrelevant role information from metadata to save memory.

<MetadataFilter type="EntityRoleWhiteList">
    <RetainedRole>md:IDPSSODescriptor</RetainedRole>
</MetadataFilter>

Attributes

Child Elements


EntityAttributes MetadataFilter (Version 2.5 and Above)

Identified by type="EntityAttributes", adds <mdattr:EntityAttributes> extension content to entities in order to drive software behavior based on them. Entity attributes are <saml:Attribute> elements that annotate entities in metadata. They can be used to populate user attributes at runtime, drive other metadata filters, or impact discovery interfaces.

<MetadataFilter type="EntityAttributes">
    <saml2:Attribute FriendlyName="state" Name="urn:oid:2.5.4.8" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml2:AttributeValue>Ohio</saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute FriendlyName="locality" Name="urn:oid:2.5.4.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
        <saml2:AttributeValue>Columbus</saml2:AttributeValue>
    </saml2:Attribute>
    <Entity>urn:mace:incommon:osu.edu</Entity>
</MetadataFilter>

Child Elements

All of the <saml:Attribute> tags preceding an <Entity> element will be attached to that entity.


Examples

Additional examples are also available. These provide more complete examples and are contributed by users of the software.

Example 1

Reads in InCommon federation metadata and requires that the metadata be signed and marked with a validity period, and only retains the IDPSSODescriptor and AttributeAuthorityDescriptor roles. (I.e. the roles necessary for an SP to interact with a Shibv2 (SAML2) IdP or Shibv1 (SAML1) IdP.)