Details
-
Task
-
Resolution: Done
-
Minor
-
None
-
None
-
None
-
Release 5 - 12/13 Beg Del Adm:
Description
For any metadata provider that is defined, we need to write out a filter that removes any entity attributes that are in the incoming metadata and start with the same prefix as the entity attributes that the Shibboleth UI is supposed to control. We don't want someone else being able to add entity attributes to the metadata that interfere/"control" what the Shibboleth UI is meant to be able to control.
We need to "hardcode" (but with a property to set which prefixes are 'hardcoded'?) the filter that is shown here:
for anything starting with the prefix 'http://shibboleth.net/'.
Note that we will similarly want to do that for any custom entity attributes that a deployer creates, perhaps by letting them configure a list of prefixes to exclude?
JJ thinks this will take just a couple of hours for at least filtering out the shibboleth.net ones.
Filter markup from that wiki example:
<MetadataFilter xsi:type="EntityAttributes">
<!-- remove unauthorized entity attributes -->
<AttributeFilterScript>
<Script>
<![CDATA[
// an implementation of Predicate<Attribute>
//
// if the name of the entity attribute starts with
// a common prefix of the set of Shibboleth profile
// URIs, the function returns false, which removes
// the entity attribute from its entity descriptor
//
// the input argument is of type:
// org.opensaml.saml.saml2.core.Attribute
//
(function (attribute) {
"use strict";
// Shibboleth profile URI prefix
var prefix = "http://shibboleth.net/";
// check the parameter
{{if (attribute === null) { return true; }}}
// check a prefix of the attribute name
return ! attribute.getName().startsWith(prefix);
}(input));
]]>
</Script>
</AttributeFilterScript>
</MetadataFilter>