Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

add ability to filter entity attribute values

Description

We need to be able to manipulate the collection of entity attributes on a particular entity. One approach to this would be to implement an attribute whitelist/blacklist stage class matching format/attribute/value triples. I think literal matches against such triples would be adequate for many use cases (things like entity categories, LoA/IAP identifiers), but simple wildcarding on the attribute value only would probably be useful too.

Another approach would be to re-use the attribute filtering code that the IdP uses, somehow.

For a first implementation, I believe it is reasonable to handle only individual Attribute elements, and refuse to process Assertion children of EntityAttributes. I'm not sure that any manipulation of such Assertions makes sense given their mandatory signature element.

Handling the special case where all entity attributes end up removed (which is not schema-valid) could be done by this code, but would probably be better handled by a separate "remove empty EntityAttributes" stage in the same way as we have a separate "remove empty Extensions" stage. Might make sense to generalise that to a "remove empty X" instead, as this comes up regularly in SAML, which tends to have 1-or-more content constraints.

Environment

None

has dependent

Activity

Show:

Ian YoungDecember 22, 2015 at 6:01 PM

Closed on release 0.9.0.

Ian YoungDecember 4, 2015 at 3:53 PM

Implementation pulled in from ukf-mda in commit 8bf78d68d7c51f1286e8310cd7d6b04364a3115f, tidied up and refactored a little in subsequent commits.

Ian YoungJuly 23, 2014 at 2:42 PM

I have an implementation of an EntityAttributesFilteringStage and some associated matcher classes available in the ukf-mda project. It handles the removal of empty EntityAttributes and Attribute containers, and ignored assertions entirely (i.e., leaves them untouched if they are present).

Pull that implementation in for the next release.

Ian YoungMay 27, 2014 at 2:22 PM

We should also be able to match against the entity's registrationAuthority value, so that different policies can be applied to entity attributes from different registrars. For example, an entity category specific to a particular federation should only be accepted if that federation was the registrar.

We should also be able to provide a simpler match class for entity categories in general, because in that case the attribute name and format are determined by the entity category specification.

Fixed

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Created November 7, 2011 at 2:48 PM
Updated December 22, 2015 at 6:01 PM
Resolved December 4, 2015 at 3:53 PM