Attribute Filter for AttributeRequest

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Attribute Filter for AttributeRequest

Rosenfeld, Waldemar (extern)

Hi,

 

I have a SP that doing an authentication (kerberos or password) and start an attribute request with soap afterwards.

Since it only has one entityID I configured the same attribute filter for both requests:

<AttributeFilterPolicy id="ExampleSP">

        <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.com/" />

        <AttributeRule attributeID="uid"                    permitAny="true"/>

        <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true"/>

        <AttributeRule attributeID="eduPersonScopedAffiliation"              permitAny="true"/>

        <AttributeRule attributeID="givenName"              permitAny="true"/>

        <AttributeRule attributeID="sn"                     permitAny="true"/>

        <AttributeRule attributeID="mail"                   permitAny="true"/>

        <AttributeRule attributeID="isMemberOf" permitAny="true"/>

</AttributeFilterPolicy>

 

In this case, all above attributes will be sent to the SP twice, one for the authentication and one for the attribute request.

The attribute “isMemberOf” is only needed for the attribute request and not for the authentication part. Is there any way to permit this attribute only for the attribute request part?

 

Thanks,

Waldemar

 


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Attribute Filter for AttributeRequest

Rod Widdowson

I suspect that you could dig into the ProfileRequestContext to get the profile being run and fire that up with a PredicateFilter.

 

 

 

From: users [mailto:[hidden email]] On Behalf Of Rosenfeld, Waldemar (extern)
Sent: 04 July 2018 16:25
To: [hidden email]
Subject: Attribute Filter for AttributeRequest

 

Hi,

 

I have a SP that doing an authentication (kerberos or password) and start an attribute request with soap afterwards.

Since it only has one entityID I configured the same attribute filter for both requests:

<AttributeFilterPolicy id="ExampleSP">

        <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.com/" />

        <AttributeRule attributeID="uid"                    permitAny="true"/>

        <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true"/>

        <AttributeRule attributeID="eduPersonScopedAffiliation"              permitAny="true"/>

        <AttributeRule attributeID="givenName"              permitAny="true"/>

        <AttributeRule attributeID="sn"                     permitAny="true"/>

        <AttributeRule attributeID="mail"                   permitAny="true"/>

        <AttributeRule attributeID="isMemberOf" permitAny="true"/>

</AttributeFilterPolicy>

 

In this case, all above attributes will be sent to the SP twice, one for the authentication and one for the attribute request.

The attribute “isMemberOf” is only needed for the attribute request and not for the authentication part. Is there any way to permit this attribute only for the attribute request part?

 

Thanks,

Waldemar

 


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Attribute Filter for AttributeRequest

Rod Widdowson
> I suspect that you could dig into the ProfileRequestContext to get the profile being run and fire that up with a PredicateFilter.

Something like:

<bean parent="shibboleth.Conditions.Expression"
 
c:_0="#profileContext.getProfileId().equals('http://shibboleth.net/ns/profiles/saml2/query/attribute')" />

would be a rough first estimate if where to start.  

R

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

AW: Attribute Filter for AttributeRequest

Rosenfeld, Waldemar (extern)
Perfect, thank you very much for this hint :)
My solution, if anybody needs something like this:
    <AttributeFilterPolicy id="SPExampleAttributeRequest">
        <PolicyRequirementRule xsi:type="AND">
                <Rule xsi:type="Requester" value="https://sp.example.com/"
/>
                <Rule xsi:type="Script" language="JavaScript">
                        <Script>
                        <![CDATA[
                                boolType = Java.type("java.lang.Boolean");
                                context = profileContext.getProfileId();
                                if
(context.equals('http://shibboleth.net/ns/profiles/saml2/query/attribute'))
{
                                        result = new boolType(true);
                                } else {
                                        result = new boolType(false);
                                }
                                result;
                        ]]>
                        </Script>
                </Rule>
        </PolicyRequirementRule>
        <AttributeRule attributeID="isMemberOf"
permitAny="true"/>
    </AttributeFilterPolicy>


-----Ursprüngliche Nachricht-----
Von: users <[hidden email]> Im Auftrag von Rod Widdowson
Gesendet: Mittwoch, 4. Juli 2018 17:46
An: 'Shib Users' <[hidden email]>
Betreff: RE: Attribute Filter for AttributeRequest

> I suspect that you could dig into the ProfileRequestContext to get the
profile being run and fire that up with a PredicateFilter.

Something like:

<bean parent="shibboleth.Conditions.Expression"
 
c:_0="#profileContext.getProfileId().equals('http://shibboleth.net/ns/profil
es/saml2/query/attribute')" />

would be a rough first estimate if where to start.  

R

--
For Consortium Member technical support, see
https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to
[hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Attribute Filter for AttributeRequest

Rod Widdowson
> Perfect, thank you very much for this hint :)

And it works?  Excellent

I'll chat to the other devs and see about seeing if we can get this documented better (if that’s appropriate).

/Rod

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]