In Finnish

In the Shibboleth configuration, different filtering rules can be set for metadata files. Mostly this is needed on the side of service providers, but there are also situations where this is also needed by the IdP. On the IdP side, it is more common to filter out all IdP entities with memory and performance in mind.

Shibboleth SP filtering

The most common case at the SP end is to load a metadata file and allow only certain entities from this. In the example, only the entity is allowed from the metadata file"https://idp.csc.fi/idp/shibboleth".

/etc/shibboleth2.xml
<MetadataProvider>
.
  <MetadataFilter type="Include">
    <Include>https://idp.csc.fi/idp/shibboleth</Include>
  </MetadataFilter>
.
</MetadataProvider>

Shibboleth IdP filtering

In a normal situation, only all SPSSO entities (SPs) are allowed in the IdP.

/opt/shibboleth-idp/conf/metadata-providers.xml
<MetadataProvider>
.
  <MetadataFilter xsi:type="EntityRoleWhiteList">
    <RetainedRole>md:SPSSODescriptor</RetainedRole>
  </MetadataFilter>
.
</MetadataProvider>


Entities are filtered by IdP differently from SP with Predicate Metadata Filtering. In the example, only two listed entities are allowed from the metadata file.

/opt/shibboleth-idp/conf/metadata-providers.xml
<MetadataProvider>
.
  <MetadataFilter xsi:type="Predicate" direction="include" removeEmptyEntitiesDescriptors="true" trim="true">
    <Entity>https://testsp.funet.fi/shibboleth</Entity>
    <Entity>https://testsp.funet.fi/shibboleth/persistent</Entity>
  </MetadataFilter>
.
</MetadataProvider>
  • No labels