SAML2 Service Provider Metadata Filtering
This document describes how SAML2 service providers registered with CAS can be tuned to conditionally filter and extract entities from the supplied metadata. The volume of metadata loaded and processed by CAS has a direct impact on memory and CPU consumption and it generally may be considered an appropriate practice to weed and tune out entities in metadata files and resources that are considered inapplicable or unused by CAS.
SAML2 metadata filtering is the process that allows CAS to determine which service provider metadata entities can be extracted, loaded and cached from metadata sources once after the authentication request is authorized. In the end, the SAML2 service provider is seen as authorized to proceed to the next step if its registration record explicitly authorizes CAS to accept authentication requests and there is sufficient metadata found and attached to the request, after the filtering process, that recognizes the service provider.
SAML2 metadata filtering typically follows a directive to either include or exclude an entry that matches the assigned rules. The direction of
the filtering process is controlled by the metadataCriteriaDirection
attribute.
-
A registered SAML2 service provider can be instructed to extract and accept entities from its metadata source when the metadata contains specific entity attributes.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
{ "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId": "^https://.+", "metadataLocation": "/path/to/metadata.xml", "metadataCriteriaDirection": "include", "metadataCriteriaEntityAttributes": { "@class": "java.util.HashMap", "http://macedir.org/entity-category": [ "java.util.ArrayList", [ "http://id.incommon.org/category/research-and-scholarship", "http://refeds.org/category/research-and-scholarship" ] ] } }
The above registration record allows CAS to load metadata for all SAML2 service providers only when:
- Their entity ID follows a pattern that begins with
https://
- Their metadata contains the entity attribute
http://macedir.org/entity-category
- …and the entity attribute carries all values requested in the registration entry.
- Their entity ID follows a pattern that begins with
-
A registered SAML2 service provider can be instructed to extract and accept entities from its metadata source when the metadata contains specific entity IDs.
1 2 3 4 5 6 7 8
{ "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService", "serviceId": ".+", "metadataLocation": "/path/to/metadata.xml", "metadataCriteriaDirection": "include", "metadataCriteriaPattern": "^https://.+.example.org", "metadataCriteriaRoles": "SPSSODescriptor" }
The above registration record allows CAS to load metadata for all SAML2 service providers only when:
- Their entity ID matches the pattern
^https://.+.example.org
- The entity descriptor tag type is one that belongs to a service provider.
- Their entity ID matches the pattern