AttributeDefinition multivalued to single value attribute?

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

AttributeDefinition multivalued to single value attribute?

Baron Fujimoto
Is there a recommended way to create an AttributeDefinition in the IdP's
attribute-resolver.xml that will map a multivalued source attribute to a
new single valued attribute?

For example, if I have the a multivalued source attribute, "someAttr" with
values as follows:

someAttr: foo
someAttr: bar
someAttr: baz

And I would like to define a new attribute, "hasFoo" which has value either
"true" or "false" depending on the value of someAttr.

If I do something like this

<resolver:AttributeDefinition xsi:type="ad:Mapped"
        id="hasFoo-enabled"
        sourceAttributeID="someAttr">

    [...]

    <!-- if someAttr is not "foo" return false -->
    <ad:DefaultValue>false</ad:DefaultValue>

    <!-- map "foo" to "true" -->
    <ad:ValueMap>
        <ad:ReturnValue>true</ad:ReturnValue>
        <ad:SourceValue ignoreCase="true">foo</ad:SourceValue>
    </ad:ValueMap>
</resolver:AttributeDefinition>

I wind up with a multivalued set of hasFoo like

hasFoo: true
hasFoo: false
hasFoo: false

But the result I really want is just a single hasFoo with value "true" if
there was a someAttr with value "foo", else hasFoo should be "false".

The broader context for this is that I would like to return the single
valued "hasFoo" in an AttributeFilterPolicy, and conditionally release
other attributes based on the value of hasFoo. Maybe there's a better
way to tackle this broader goal?

--
Baron Fujimoto <[hidden email]> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: AttributeDefinition multivalued to single value attribute?

Lipscomb, Gary

<AttributeDefinition xsi:type="Mapped"
       id=" hasFoo"
       sourceAttributeID=" someAttr ">
     <Dependency ref=" someAttr " />
     <DisplayName xml:lang="en">Has Foo</DisplayName>

     <ValueMap>
       <ReturnValue>true</ReturnValue>
                <SourceValue>foo</SourceValue>
     </ValueMap>
     <ValueMap>

       <ReturnValue>false</ReturnValue>
                  <SourceValue>bar</SourceValue>
                 <SourceValue>baz</SourceValue>
     </ValueMap>

   </AttributeDefinition>




-----Original Message-----
From: users [mailto:[hidden email]] On Behalf Of Baron Fujimoto
Sent: Thursday, 7 June 2018 12:56
To: Shib Users <[hidden email]>
Subject: AttributeDefinition multivalued to single value attribute?

Is there a recommended way to create an AttributeDefinition in the IdP's
attribute-resolver.xml that will map a multivalued source attribute to a
new single valued attribute?

For example, if I have the a multivalued source attribute, "someAttr" with
values as follows:

someAttr: foo
someAttr: bar
someAttr: baz

And I would like to define a new attribute, "hasFoo" which has value either
"true" or "false" depending on the value of someAttr.

If I do something like this

<resolver:AttributeDefinition xsi:type="ad:Mapped"
        id="hasFoo-enabled"
        sourceAttributeID="someAttr">

    [...]

    <!-- if someAttr is not "foo" return false -->
    <ad:DefaultValue>false</ad:DefaultValue>

    <!-- map "foo" to "true" -->
    <ad:ValueMap>
        <ad:ReturnValue>true</ad:ReturnValue>
        <ad:SourceValue ignoreCase="true">foo</ad:SourceValue>
    </ad:ValueMap>
</resolver:AttributeDefinition>

I wind up with a multivalued set of hasFoo like

hasFoo: true
hasFoo: false
hasFoo: false

But the result I really want is just a single hasFoo with value "true" if
there was a someAttr with value "foo", else hasFoo should be "false".

The broader context for this is that I would like to return the single
valued "hasFoo" in an AttributeFilterPolicy, and conditionally release
other attributes based on the value of hasFoo. Maybe there's a better
way to tackle this broader goal?

--
Baron Fujimoto <[hidden email]> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: AttributeDefinition multivalued to single value attribute?

Losen, Stephen C (scl)
In reply to this post by Baron Fujimoto
Hi Baron,

You can test "someAttr" directly in the attribute filter, no need to convert it to "hasfoo-enabled".

<PolicyRequirementRule xsi:type="Value"
  AttributeID="someAttr" value="foo" />

This is true if any value of someAttr is "foo".

You can negate like this

<PolicyRequirementRule xsi:type="NOT">
  <Rule xsi:type="Value" AttributeID="someAttr" value="foo">
</PolicyRequirementRule>

This is true if none of the values of someAttr is "foo"

And you can build an arbitrarily complex rule by combining rules with xsi:type="AND" and/or xsi:type="OR"

So you might have a PolicyRequirementRule where the Requester has a particular entityID AND an attribute has a particular value.

https://wiki.shibboleth.net/confluence/display/IDP30/AttributeFilterPolicyConfiguration


Stephen C. Losen
ITS - Systems and Storage
University of Virginia
[hidden email]    434-924-0640


-----Original Message-----
From: users [mailto:[hidden email]] On Behalf Of Baron Fujimoto
Sent: Wednesday, June 06, 2018 10:56 PM
To: Shib Users <[hidden email]>
Subject: AttributeDefinition multivalued to single value attribute?

Is there a recommended way to create an AttributeDefinition in the IdP's
attribute-resolver.xml that will map a multivalued source attribute to a
new single valued attribute?

For example, if I have the a multivalued source attribute, "someAttr" with
values as follows:

someAttr: foo
someAttr: bar
someAttr: baz

And I would like to define a new attribute, "hasFoo" which has value either
"true" or "false" depending on the value of someAttr.

If I do something like this

<resolver:AttributeDefinition xsi:type="ad:Mapped"
        id="hasFoo-enabled"
        sourceAttributeID="someAttr">

    [...]

    <!-- if someAttr is not "foo" return false -->
    <ad:DefaultValue>false</ad:DefaultValue>

    <!-- map "foo" to "true" -->
    <ad:ValueMap>
        <ad:ReturnValue>true</ad:ReturnValue>
        <ad:SourceValue ignoreCase="true">foo</ad:SourceValue>
    </ad:ValueMap>
</resolver:AttributeDefinition>

I wind up with a multivalued set of hasFoo like

hasFoo: true
hasFoo: false
hasFoo: false

But the result I really want is just a single hasFoo with value "true" if
there was a someAttr with value "foo", else hasFoo should be "false".

The broader context for this is that I would like to return the single
valued "hasFoo" in an AttributeFilterPolicy, and conditionally release
other attributes based on the value of hasFoo. Maybe there's a better
way to tackle this broader goal?

--
Baron Fujimoto <[hidden email]> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: AttributeDefinition multivalued to single value attribute?

Baron Fujimoto
In reply to this post by Lipscomb, Gary

On Thu, Jun 07, 2018 at 03:14:42AM +0000, Lipscomb, Gary wrote:

>
><AttributeDefinition xsi:type="Mapped"
>       id=" hasFoo"
>       sourceAttributeID=" someAttr ">
>     <Dependency ref=" someAttr " />
>     <DisplayName xml:lang="en">Has Foo</DisplayName>
>
>     <ValueMap>
>       <ReturnValue>true</ReturnValue>
>                <SourceValue>foo</SourceValue>
>     </ValueMap>
>     <ValueMap>
>
>       <ReturnValue>false</ReturnValue>
>                  <SourceValue>bar</SourceValue>
>                 <SourceValue>baz</SourceValue>
>     </ValueMap>
>
>   </AttributeDefinition>

Hi Gary,

Thanks, but I think this is more or less equivalent to my original attempt below? Except I use a <DefaultValue> for the false terms rather than explicitly matching each value with a <ValueMap>. It's not really feasible for us to explicitly match each false value anyway, since the set of these values is not fixed in size and they may have arbitrary values (email addresses would be a good analogy).

This still has the problem I'm trying to solve of resulting in a multivalued "hasFoo" after deduping:

Log excerpt:

DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:434] - Attribute Resolver 'ShibbolethAttributeResolver': De-duping attribute definition hasFoo result
DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:440] - Attribute Resolver 'ShibbolethAttributeResolver': Removing duplicate value StringAttributeValue{value=false} of attribute 'hasFoo' from resolution result
DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:440] - Attribute Resolver 'ShibbolethAttributeResolver': Removing duplicate value StringAttributeValue{value=false} of attribute 'hasFoo' from resolution result
DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:446] - Attribute Resolver 'ShibbolethAttributeResolver': Attribute 'hasFoo' has 2 values after post-processing

Excerpt from output of resolvertest:

  {
    "name": "hasFoo",
    "values": [
              "StringAttributeValue{value=false}",              "StringAttributeValue{value=true}"          ]
  }

But what I'd really like as a result is:

  {
    "name": "hasFoo",
    "values": [
              "StringAttributeValue{value=true}"          ]
  }


>-----Original Message-----
>From: users [mailto:[hidden email]] On Behalf Of Baron Fujimoto
>Sent: Thursday, 7 June 2018 12:56
>To: Shib Users <[hidden email]>
>Subject: AttributeDefinition multivalued to single value attribute?
>
>Is there a recommended way to create an AttributeDefinition in the IdP's
>attribute-resolver.xml that will map a multivalued source attribute to a
>new single valued attribute?
>
>For example, if I have the a multivalued source attribute, "someAttr" with
>values as follows:
>
>someAttr: foo
>someAttr: bar
>someAttr: baz
>
>And I would like to define a new attribute, "hasFoo" which has value either
>"true" or "false" depending on the value of someAttr.
>
>If I do something like this
>
><resolver:AttributeDefinition xsi:type="ad:Mapped"
>        id="hasFoo-enabled"
>        sourceAttributeID="someAttr">
>
>    [...]
>
>    <!-- if someAttr is not "foo" return false -->
>    <ad:DefaultValue>false</ad:DefaultValue>
>
>    <!-- map "foo" to "true" -->
>    <ad:ValueMap>
>        <ad:ReturnValue>true</ad:ReturnValue>
>        <ad:SourceValue ignoreCase="true">foo</ad:SourceValue>
>    </ad:ValueMap>
></resolver:AttributeDefinition>
>
>I wind up with a multivalued set of hasFoo like
>
>hasFoo: true
>hasFoo: false
>hasFoo: false
>
>But the result I really want is just a single hasFoo with value "true" if
>there was a someAttr with value "foo", else hasFoo should be "false".
>
>The broader context for this is that I would like to return the single
>valued "hasFoo" in an AttributeFilterPolicy, and conditionally release
>other attributes based on the value of hasFoo. Maybe there's a better
>way to tackle this broader goal?
>
>--
>Baron Fujimoto <[hidden email]> :: UH Information Technology Services
>minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
>--
>For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
>To unsubscribe from this list send an email to [hidden email]
>--
>For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
>To unsubscribe from this list send an email to [hidden email]

--
Baron Fujimoto <[hidden email]> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: AttributeDefinition multivalued to single value attribute?

Michael A Grady
If you only want the one value, then why map the other values/have a DefaultValue? You want the other values "not mapped", so don't map them; having a DefaultValue does constitute a "mapping". Simply have nothing for the other values.

On Jun 8, 2018, at 3:25 PM, Baron Fujimoto <[hidden email]> wrote:


On Thu, Jun 07, 2018 at 03:14:42AM +0000, Lipscomb, Gary wrote:

<AttributeDefinition xsi:type="Mapped"
     id=" hasFoo"
     sourceAttributeID=" someAttr ">
   <Dependency ref=" someAttr " />
   <DisplayName xml:lang="en">Has Foo</DisplayName>

   <ValueMap>
     <ReturnValue>true</ReturnValue>
              <SourceValue>foo</SourceValue>
   </ValueMap>
   <ValueMap>

     <ReturnValue>false</ReturnValue>
                <SourceValue>bar</SourceValue>
               <SourceValue>baz</SourceValue>
   </ValueMap>

 </AttributeDefinition>

Hi Gary,

Thanks, but I think this is more or less equivalent to my original attempt below? Except I use a <DefaultValue> for the false terms rather than explicitly matching each value with a <ValueMap>. It's not really feasible for us to explicitly match each false value anyway, since the set of these values is not fixed in size and they may have arbitrary values (email addresses would be a good analogy).

This still has the problem I'm trying to solve of resulting in a multivalued "hasFoo" after deduping:

Log excerpt:

DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:434] - Attribute Resolver 'ShibbolethAttributeResolver': De-duping attribute definition hasFoo result
DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:440] - Attribute Resolver 'ShibbolethAttributeResolver': Removing duplicate value StringAttributeValue{value=false} of attribute 'hasFoo' from resolution result
DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:440] - Attribute Resolver 'ShibbolethAttributeResolver': Removing duplicate value StringAttributeValue{value=false} of attribute 'hasFoo' from resolution result
DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:446] - Attribute Resolver 'ShibbolethAttributeResolver': Attribute 'hasFoo' has 2 values after post-processing

Excerpt from output of resolvertest:

 {
   "name": "hasFoo",
   "values": [
             "StringAttributeValue{value=false}",              "StringAttributeValue{value=true}"          ]
 }

But what I'd really like as a result is:

 {
   "name": "hasFoo",
   "values": [
             "StringAttributeValue{value=true}"          ]
 }


-----Original Message-----
From: users [[hidden email]] On Behalf Of Baron Fujimoto
Sent: Thursday, 7 June 2018 12:56
To: Shib Users <[hidden email]>
Subject: AttributeDefinition multivalued to single value attribute?

Is there a recommended way to create an AttributeDefinition in the IdP's
attribute-resolver.xml that will map a multivalued source attribute to a
new single valued attribute?

For example, if I have the a multivalued source attribute, "someAttr" with
values as follows:

someAttr: foo
someAttr: bar
someAttr: baz

And I would like to define a new attribute, "hasFoo" which has value either
"true" or "false" depending on the value of someAttr.

If I do something like this

<resolver:AttributeDefinition xsi:type="ad:Mapped"
      id="hasFoo-enabled"
      sourceAttributeID="someAttr">

  [...]

  <!-- if someAttr is not "foo" return false -->
  <ad:DefaultValue>false</ad:DefaultValue>

  <!-- map "foo" to "true" -->
  <ad:ValueMap>
      <ad:ReturnValue>true</ad:ReturnValue>
      <ad:SourceValue ignoreCase="true">foo</ad:SourceValue>
  </ad:ValueMap>
</resolver:AttributeDefinition>

I wind up with a multivalued set of hasFoo like

hasFoo: true
hasFoo: false
hasFoo: false

But the result I really want is just a single hasFoo with value "true" if
there was a someAttr with value "foo", else hasFoo should be "false".

The broader context for this is that I would like to return the single
valued "hasFoo" in an AttributeFilterPolicy, and conditionally release
other attributes based on the value of hasFoo. Maybe there's a better
way to tackle this broader goal?

--
Baron Fujimoto <[hidden email]> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
Baron Fujimoto <[hidden email]> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

----------

This email has been scanned for spam and viruses by Proofpoint Essentials. Visit the following link to report this email as spam:
https://us2.proofpointessentials.com/index01.php?mod_id=11&mod_option=logitem&mail_id=1528489549-Mt59gIRTN77a&r_address=mgrady%40unicon.net&report=1

--
Michael A. Grady
IAM Architect, Unicon, Inc.




--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

signature.asc (891 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: AttributeDefinition multivalued to single value attribute?

Baron Fujimoto
In reply to this post by Losen, Stephen C (scl)
Hi Stephen,

I need to release a hasfoo-enabled attribute to the SP regardless, so I
still need to create this for them rather than have them try to derive it
from the underlying set of someAttr themselves.

Re the attribute release policy, if I put all of the condition in a
<PolicyRequirementRule>, it will apply to all attributes that match the
policy, won't it? Wouldn't that mean I'd have to actually have to have
two PolicyRequirementRules for this requester? The first would
unconditionally release "hasFoo" attribute (for a the matching requester),
and the second to conditionally release the other allowed attributes to
that requester based on the hasFoo value?

The documentation at
<https://wiki.shibboleth.net/confluence/display/IDP30/ValueConfiguration>
suggests it's possible in in <PermitValueRule> with a compound matcher
example (marked as deprecated). e.g:

<AttributeRule attributeID="hasFooConditionalAttr">
   <PermitValueRule xsi:type="Value" value="true" ignoreCase="true" attributeID="hasFoo"/>
</AttributeRule>

This appears to work, but it's not clear how you would do this in a non-deprecated manner.

On Thu, Jun 07, 2018 at 10:27:19AM +0000, Losen, Stephen C. (scl) wrote:

>Hi Baron,
>
>You can test "someAttr" directly in the attribute filter, no need to convert it to "hasfoo-enabled".
>
><PolicyRequirementRule xsi:type="Value"
>  AttributeID="someAttr" value="foo" />
>
>This is true if any value of someAttr is "foo".
>
>You can negate like this
>
><PolicyRequirementRule xsi:type="NOT">
>  <Rule xsi:type="Value" AttributeID="someAttr" value="foo">
></PolicyRequirementRule>
>
>This is true if none of the values of someAttr is "foo"
>
>And you can build an arbitrarily complex rule by combining rules with xsi:type="AND" and/or xsi:type="OR"
>
>So you might have a PolicyRequirementRule where the Requester has a particular entityID AND an attribute has a particular value.
>
>https://wiki.shibboleth.net/confluence/display/IDP30/AttributeFilterPolicyConfiguration
>
>
>Stephen C. Losen
>ITS - Systems and Storage
>University of Virginia
>[hidden email]    434-924-0640
>
>
>-----Original Message-----
>From: users [mailto:[hidden email]] On Behalf Of Baron Fujimoto
>Sent: Wednesday, June 06, 2018 10:56 PM
>To: Shib Users <[hidden email]>
>Subject: AttributeDefinition multivalued to single value attribute?
>
>Is there a recommended way to create an AttributeDefinition in the IdP's
>attribute-resolver.xml that will map a multivalued source attribute to a
>new single valued attribute?
>
>For example, if I have the a multivalued source attribute, "someAttr" with
>values as follows:
>
>someAttr: foo
>someAttr: bar
>someAttr: baz
>
>And I would like to define a new attribute, "hasFoo" which has value either
>"true" or "false" depending on the value of someAttr.
>
>If I do something like this
>
><resolver:AttributeDefinition xsi:type="ad:Mapped"
>        id="hasFoo-enabled"
>        sourceAttributeID="someAttr">
>
>    [...]
>
>    <!-- if someAttr is not "foo" return false -->
>    <ad:DefaultValue>false</ad:DefaultValue>
>
>    <!-- map "foo" to "true" -->
>    <ad:ValueMap>
>        <ad:ReturnValue>true</ad:ReturnValue>
>        <ad:SourceValue ignoreCase="true">foo</ad:SourceValue>
>    </ad:ValueMap>
></resolver:AttributeDefinition>
>
>I wind up with a multivalued set of hasFoo like
>
>hasFoo: true
>hasFoo: false
>hasFoo: false
>
>But the result I really want is just a single hasFoo with value "true" if
>there was a someAttr with value "foo", else hasFoo should be "false".
>
>The broader context for this is that I would like to return the single
>valued "hasFoo" in an AttributeFilterPolicy, and conditionally release
>other attributes based on the value of hasFoo. Maybe there's a better
>way to tackle this broader goal?
>
>--
>Baron Fujimoto <[hidden email]> :: UH Information Technology Services
>minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
>--
>For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
>To unsubscribe from this list send an email to [hidden email]
>--
>For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
>To unsubscribe from this list send an email to [hidden email]

--
Baron Fujimoto <[hidden email]> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: AttributeDefinition multivalued to single value attribute?

Baron Fujimoto
In reply to this post by Michael A Grady
I suppose because we wanted to return an explicit "true" or "false" to the
SP. If we simply don't return the hasFoo attribute they'd have to infer
hasFoo=false. I suppose if we must, we can go back to them and see if the
design change is feasible for them.

On Fri, Jun 08, 2018 at 03:29:20PM -0500, Michael A Grady wrote:

>If you only want the one value, then why map the other values/have a DefaultValue? You want the other values "not mapped", so don't map them; having a DefaultValue does constitute a "mapping". Simply have nothing for the other values.
>
>> On Jun 8, 2018, at 3:25 PM, Baron Fujimoto <[hidden email]> wrote:
>>
>>
>> On Thu, Jun 07, 2018 at 03:14:42AM +0000, Lipscomb, Gary wrote:
>>>
>>> <AttributeDefinition xsi:type="Mapped"
>>>      id=" hasFoo"
>>>      sourceAttributeID=" someAttr ">
>>>    <Dependency ref=" someAttr " />
>>>    <DisplayName xml:lang="en">Has Foo</DisplayName>
>>>
>>>    <ValueMap>
>>>      <ReturnValue>true</ReturnValue>
>>>               <SourceValue>foo</SourceValue>
>>>    </ValueMap>
>>>    <ValueMap>
>>>
>>>      <ReturnValue>false</ReturnValue>
>>>                 <SourceValue>bar</SourceValue>
>>>                <SourceValue>baz</SourceValue>
>>>    </ValueMap>
>>>
>>>  </AttributeDefinition>
>>
>> Hi Gary,
>>
>> Thanks, but I think this is more or less equivalent to my original attempt below? Except I use a <DefaultValue> for the false terms rather than explicitly matching each value with a <ValueMap>. It's not really feasible for us to explicitly match each false value anyway, since the set of these values is not fixed in size and they may have arbitrary values (email addresses would be a good analogy).
>>
>> This still has the problem I'm trying to solve of resulting in a multivalued "hasFoo" after deduping:
>>
>> Log excerpt:
>>
>> DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:434] - Attribute Resolver 'ShibbolethAttributeResolver': De-duping attribute definition hasFoo result
>> DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:440] - Attribute Resolver 'ShibbolethAttributeResolver': Removing duplicate value StringAttributeValue{value=false} of attribute 'hasFoo' from resolution result
>> DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:440] - Attribute Resolver 'ShibbolethAttributeResolver': Removing duplicate value StringAttributeValue{value=false} of attribute 'hasFoo' from resolution result
>> DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:446] - Attribute Resolver 'ShibbolethAttributeResolver': Attribute 'hasFoo' has 2 values after post-processing
>>
>> Excerpt from output of resolvertest:
>>
>>  {
>>    "name": "hasFoo",
>>    "values": [
>>              "StringAttributeValue{value=false}",              "StringAttributeValue{value=true}"          ]
>>  }
>>
>> But what I'd really like as a result is:
>>
>>  {
>>    "name": "hasFoo",
>>    "values": [
>>              "StringAttributeValue{value=true}"          ]
>>  }
>>
>>
>>> -----Original Message-----
>>> From: users [mailto:[hidden email]] On Behalf Of Baron Fujimoto
>>> Sent: Thursday, 7 June 2018 12:56
>>> To: Shib Users <[hidden email]>
>>> Subject: AttributeDefinition multivalued to single value attribute?
>>>
>>> Is there a recommended way to create an AttributeDefinition in the IdP's
>>> attribute-resolver.xml that will map a multivalued source attribute to a
>>> new single valued attribute?
>>>
>>> For example, if I have the a multivalued source attribute, "someAttr" with
>>> values as follows:
>>>
>>> someAttr: foo
>>> someAttr: bar
>>> someAttr: baz
>>>
>>> And I would like to define a new attribute, "hasFoo" which has value either
>>> "true" or "false" depending on the value of someAttr.
>>>
>>> If I do something like this
>>>
>>> <resolver:AttributeDefinition xsi:type="ad:Mapped"
>>>       id="hasFoo-enabled"
>>>       sourceAttributeID="someAttr">
>>>
>>>   [...]
>>>
>>>   <!-- if someAttr is not "foo" return false -->
>>>   <ad:DefaultValue>false</ad:DefaultValue>
>>>
>>>   <!-- map "foo" to "true" -->
>>>   <ad:ValueMap>
>>>       <ad:ReturnValue>true</ad:ReturnValue>
>>>       <ad:SourceValue ignoreCase="true">foo</ad:SourceValue>
>>>   </ad:ValueMap>
>>> </resolver:AttributeDefinition>
>>>
>>> I wind up with a multivalued set of hasFoo like
>>>
>>> hasFoo: true
>>> hasFoo: false
>>> hasFoo: false
>>>
>>> But the result I really want is just a single hasFoo with value "true" if
>>> there was a someAttr with value "foo", else hasFoo should be "false".
>>>
>>> The broader context for this is that I would like to return the single
>>> valued "hasFoo" in an AttributeFilterPolicy, and conditionally release
>>> other attributes based on the value of hasFoo. Maybe there's a better
>>> way to tackle this broader goal?
>>>
>>> --
>>> Baron Fujimoto <[hidden email]> :: UH Information Technology Services
>>> minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
>>> --
>>> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
>>> To unsubscribe from this list send an email to [hidden email]
>>> --
>>> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
>>> To unsubscribe from this list send an email to [hidden email]
>>
>> --
>> Baron Fujimoto <[hidden email]> :: UH Information Technology Services
>> minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
>> --
>> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
>> To unsubscribe from this list send an email to [hidden email]
>>
>> ----------
>>
>> This email has been scanned for spam and viruses by Proofpoint Essentials. Visit the following link to report this email as spam:
>> https://us2.proofpointessentials.com/index01.php?mod_id=11&mod_option=logitem&mail_id=1528489549-Mt59gIRTN77a&r_address=mgrady%40unicon.net&report=1
>
>--
>Michael A. Grady
>IAM Architect, Unicon, Inc.
>
>
>



>--
>For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
>To unsubscribe from this list send an email to [hidden email]


--
Baron Fujimoto <[hidden email]> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: AttributeDefinition multivalued to single value attribute?

Cantor, Scott E.
In reply to this post by Baron Fujimoto
> This appears to work, but it's not clear how you would do this in a non-
> deprecated manner.

I don't know what's deprecated about it but if it doesn't WARN about something, I imagine the documentation isn't right.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: AttributeDefinition multivalued to single value attribute?

Cantor, Scott E.
In reply to this post by Baron Fujimoto
> I suppose because we wanted to return an explicit "true" or "false" to the SP. If
> we simply don't return the hasFoo attribute they'd have to infer hasFoo=false. I
> suppose if we must, we can go back to them and see if the design change is
> feasible for them.

It has to be, or they will have a bug because there is no way anybody can ever assume any attribute is present, that's just not done. You have to handle it (even if that means a Forbidden or whatever). So it's pretty obvious that handline missing as "whatever the default should be" is just a given.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: AttributeDefinition multivalued to single value attribute?

Baron Fujimoto
In reply to this post by Baron Fujimoto
To elaborate, if we can provide them an explicit true/false value for
hasFoo, they can use this to distinguish a possible reason why other
requested attributes may have conditionally not been released (as opposed
to say, those other attributes simply not existing themselves perhaps)

On Fri, Jun 08, 2018 at 11:17:55AM -1000, Baron Fujimoto wrote:

>I suppose because we wanted to return an explicit "true" or "false" to the
>SP. If we simply don't return the hasFoo attribute they'd have to infer
>hasFoo=false. I suppose if we must, we can go back to them and see if the
>design change is feasible for them.
>
>On Fri, Jun 08, 2018 at 03:29:20PM -0500, Michael A Grady wrote:
>>If you only want the one value, then why map the other values/have a DefaultValue? You want the other values "not mapped", so don't map them; having a DefaultValue does constitute a "mapping". Simply have nothing for the other values.
>>
>>> On Jun 8, 2018, at 3:25 PM, Baron Fujimoto <[hidden email]> wrote:
>>>
>>>
>>> On Thu, Jun 07, 2018 at 03:14:42AM +0000, Lipscomb, Gary wrote:
>>>>
>>>> <AttributeDefinition xsi:type="Mapped"
>>>>      id=" hasFoo"
>>>>      sourceAttributeID=" someAttr ">
>>>>    <Dependency ref=" someAttr " />
>>>>    <DisplayName xml:lang="en">Has Foo</DisplayName>
>>>>
>>>>    <ValueMap>
>>>>      <ReturnValue>true</ReturnValue>
>>>>               <SourceValue>foo</SourceValue>
>>>>    </ValueMap>
>>>>    <ValueMap>
>>>>
>>>>      <ReturnValue>false</ReturnValue>
>>>>                 <SourceValue>bar</SourceValue>
>>>>                <SourceValue>baz</SourceValue>
>>>>    </ValueMap>
>>>>
>>>>  </AttributeDefinition>
>>>
>>> Hi Gary,
>>>
>>> Thanks, but I think this is more or less equivalent to my original attempt below? Except I use a <DefaultValue> for the false terms rather than explicitly matching each value with a <ValueMap>. It's not really feasible for us to explicitly match each false value anyway, since the set of these values is not fixed in size and they may have arbitrary values (email addresses would be a good analogy).
>>>
>>> This still has the problem I'm trying to solve of resulting in a multivalued "hasFoo" after deduping:
>>>
>>> Log excerpt:
>>>
>>> DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:434] - Attribute Resolver 'ShibbolethAttributeResolver': De-duping attribute definition hasFoo result
>>> DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:440] - Attribute Resolver 'ShibbolethAttributeResolver': Removing duplicate value StringAttributeValue{value=false} of attribute 'hasFoo' from resolution result
>>> DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:440] - Attribute Resolver 'ShibbolethAttributeResolver': Removing duplicate value StringAttributeValue{value=false} of attribute 'hasFoo' from resolution result
>>> DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:446] - Attribute Resolver 'ShibbolethAttributeResolver': Attribute 'hasFoo' has 2 values after post-processing
>>>
>>> Excerpt from output of resolvertest:
>>>
>>>  {
>>>    "name": "hasFoo",
>>>    "values": [
>>>              "StringAttributeValue{value=false}",              "StringAttributeValue{value=true}"          ]
>>>  }
>>>
>>> But what I'd really like as a result is:
>>>
>>>  {
>>>    "name": "hasFoo",
>>>    "values": [
>>>              "StringAttributeValue{value=true}"          ]
>>>  }
>>>
>>>
>>>> -----Original Message-----
>>>> From: users [mailto:[hidden email]] On Behalf Of Baron Fujimoto
>>>> Sent: Thursday, 7 June 2018 12:56
>>>> To: Shib Users <[hidden email]>
>>>> Subject: AttributeDefinition multivalued to single value attribute?
>>>>
>>>> Is there a recommended way to create an AttributeDefinition in the IdP's
>>>> attribute-resolver.xml that will map a multivalued source attribute to a
>>>> new single valued attribute?
>>>>
>>>> For example, if I have the a multivalued source attribute, "someAttr" with
>>>> values as follows:
>>>>
>>>> someAttr: foo
>>>> someAttr: bar
>>>> someAttr: baz
>>>>
>>>> And I would like to define a new attribute, "hasFoo" which has value either
>>>> "true" or "false" depending on the value of someAttr.
>>>>
>>>> If I do something like this
>>>>
>>>> <resolver:AttributeDefinition xsi:type="ad:Mapped"
>>>>       id="hasFoo-enabled"
>>>>       sourceAttributeID="someAttr">
>>>>
>>>>   [...]
>>>>
>>>>   <!-- if someAttr is not "foo" return false -->
>>>>   <ad:DefaultValue>false</ad:DefaultValue>
>>>>
>>>>   <!-- map "foo" to "true" -->
>>>>   <ad:ValueMap>
>>>>       <ad:ReturnValue>true</ad:ReturnValue>
>>>>       <ad:SourceValue ignoreCase="true">foo</ad:SourceValue>
>>>>   </ad:ValueMap>
>>>> </resolver:AttributeDefinition>
>>>>
>>>> I wind up with a multivalued set of hasFoo like
>>>>
>>>> hasFoo: true
>>>> hasFoo: false
>>>> hasFoo: false
>>>>
>>>> But the result I really want is just a single hasFoo with value "true" if
>>>> there was a someAttr with value "foo", else hasFoo should be "false".
>>>>
>>>> The broader context for this is that I would like to return the single
>>>> valued "hasFoo" in an AttributeFilterPolicy, and conditionally release
>>>> other attributes based on the value of hasFoo. Maybe there's a better
>>>> way to tackle this broader goal?
>>>>
>>>> --
>>>> Baron Fujimoto <[hidden email]> :: UH Information Technology Services
>>>> minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
>>>> --
>>>> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
>>>> To unsubscribe from this list send an email to [hidden email]
>>>> --
>>>> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
>>>> To unsubscribe from this list send an email to [hidden email]
>>>
>>> --
>>> Baron Fujimoto <[hidden email]> :: UH Information Technology Services
>>> minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
>>> --
>>> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
>>> To unsubscribe from this list send an email to [hidden email]
>>>
>>> ----------
>>>
>>> This email has been scanned for spam and viruses by Proofpoint Essentials. Visit the following link to report this email as spam:
>>> https://us2.proofpointessentials.com/index01.php?mod_id=11&mod_option=logitem&mail_id=1528489549-Mt59gIRTN77a&r_address=mgrady%40unicon.net&report=1
>>
>>--
>>Michael A. Grady
>>IAM Architect, Unicon, Inc.
>>
>>
>>
>
>
>
>>--
>>For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
>>To unsubscribe from this list send an email to [hidden email]
>
>
>--
>Baron Fujimoto <[hidden email]> :: UH Information Technology Services
>minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

--
Baron Fujimoto <[hidden email]> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: AttributeDefinition multivalued to single value attribute?

Michael A Grady

On Jun 8, 2018, at 4:22 PM, Baron Fujimoto <[hidden email]> wrote:

To elaborate, if we can provide them an explicit true/false value for
hasFoo, they can use this to distinguish a possible reason why other
requested attributes may have conditionally not been released (as opposed
to say, those other attributes simply not existing themselves perhaps)

Then you are going to need a Script to do that, if you want a single value of either true or false.

--
Michael A. Grady
IAM Architect, Unicon, Inc.




--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

signature.asc (891 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: AttributeDefinition multivalued to single value attribute?

Losen, Stephen C (scl)
In reply to this post by Baron Fujimoto
Hi Baron,

You are correct, you need two PolicyRequirementRules, one to release hasfoo-enabled if Requester == "X" The other PolicyRequirementRule would release other attributes if Requester == "X" AND hasfoo-enabled == "true"

I don't think you can do this in the PermitValueRules

Stephen C. Losen
ITS - Systems and Storage
University of Virginia
[hidden email]    434-924-0640

-----Original Message-----
From: users [mailto:[hidden email]] On Behalf Of Baron Fujimoto
Sent: Friday, June 08, 2018 5:05 PM
To: Shib Users <[hidden email]>
Subject: Re: AttributeDefinition multivalued to single value attribute?

Hi Stephen,

I need to release a hasfoo-enabled attribute to the SP regardless, so I
still need to create this for them rather than have them try to derive it
from the underlying set of someAttr themselves.

Re the attribute release policy, if I put all of the condition in a
<PolicyRequirementRule>, it will apply to all attributes that match the
policy, won't it? Wouldn't that mean I'd have to actually have to have
two PolicyRequirementRules for this requester? The first would
unconditionally release "hasFoo" attribute (for a the matching requester),
and the second to conditionally release the other allowed attributes to
that requester based on the hasFoo value?

The documentation at
<https://wiki.shibboleth.net/confluence/display/IDP30/ValueConfiguration>
suggests it's possible in in <PermitValueRule> with a compound matcher
example (marked as deprecated). e.g:

<AttributeRule attributeID="hasFooConditionalAttr">
   <PermitValueRule xsi:type="Value" value="true" ignoreCase="true" attributeID="hasFoo"/>
</AttributeRule>

This appears to work, but it's not clear how you would do this in a non-deprecated manner.

On Thu, Jun 07, 2018 at 10:27:19AM +0000, Losen, Stephen C. (scl) wrote:

>Hi Baron,
>
>You can test "someAttr" directly in the attribute filter, no need to convert it to "hasfoo-enabled".
>
><PolicyRequirementRule xsi:type="Value"
>  AttributeID="someAttr" value="foo" />
>
>This is true if any value of someAttr is "foo".
>
>You can negate like this
>
><PolicyRequirementRule xsi:type="NOT">
>  <Rule xsi:type="Value" AttributeID="someAttr" value="foo">
></PolicyRequirementRule>
>
>This is true if none of the values of someAttr is "foo"
>
>And you can build an arbitrarily complex rule by combining rules with xsi:type="AND" and/or xsi:type="OR"
>
>So you might have a PolicyRequirementRule where the Requester has a particular entityID AND an attribute has a particular value.
>
>https://wiki.shibboleth.net/confluence/display/IDP30/AttributeFilterPolicyConfiguration
>
>
>Stephen C. Losen
>ITS - Systems and Storage
>University of Virginia
>[hidden email]    434-924-0640
>
>
>-----Original Message-----
>From: users [mailto:[hidden email]] On Behalf Of Baron Fujimoto
>Sent: Wednesday, June 06, 2018 10:56 PM
>To: Shib Users <[hidden email]>
>Subject: AttributeDefinition multivalued to single value attribute?
>
>Is there a recommended way to create an AttributeDefinition in the IdP's
>attribute-resolver.xml that will map a multivalued source attribute to a
>new single valued attribute?
>
>For example, if I have the a multivalued source attribute, "someAttr" with
>values as follows:
>
>someAttr: foo
>someAttr: bar
>someAttr: baz
>
>And I would like to define a new attribute, "hasFoo" which has value either
>"true" or "false" depending on the value of someAttr.
>
>If I do something like this
>
><resolver:AttributeDefinition xsi:type="ad:Mapped"
>        id="hasFoo-enabled"
>        sourceAttributeID="someAttr">
>
>    [...]
>
>    <!-- if someAttr is not "foo" return false -->
>    <ad:DefaultValue>false</ad:DefaultValue>
>
>    <!-- map "foo" to "true" -->
>    <ad:ValueMap>
>        <ad:ReturnValue>true</ad:ReturnValue>
>        <ad:SourceValue ignoreCase="true">foo</ad:SourceValue>
>    </ad:ValueMap>
></resolver:AttributeDefinition>
>
>I wind up with a multivalued set of hasFoo like
>
>hasFoo: true
>hasFoo: false
>hasFoo: false
>
>But the result I really want is just a single hasFoo with value "true" if
>there was a someAttr with value "foo", else hasFoo should be "false".
>
>The broader context for this is that I would like to return the single
>valued "hasFoo" in an AttributeFilterPolicy, and conditionally release
>other attributes based on the value of hasFoo. Maybe there's a better
>way to tackle this broader goal?
>
>--
>Baron Fujimoto <[hidden email]> :: UH Information Technology Services
>minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
>--
>For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
>To unsubscribe from this list send an email to [hidden email]
>--
>For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
>To unsubscribe from this list send an email to [hidden email]

--
Baron Fujimoto <[hidden email]> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: AttributeDefinition multivalued to single value attribute?

Baron Fujimoto
In reply to this post by Cantor, Scott E.
On Fri, Jun 08, 2018 at 09:18:21PM +0000, Cantor, Scott wrote:
>> This appears to work, but it's not clear how you would do this in a non-
>> deprecated manner.
>
>I don't know what's deprecated about it but if it doesn't WARN about something, I imagine the documentation isn't right.

It doesn't appear to log any warnings or errors (at least for 3.2.1),
using an AttributeRule based on the documentation example (marked as
deprecated) for a Compound matcher at

<https://wiki.shibboleth.net/confluence/display/IDP30/ValueConfiguration>

E.g.:

<afp:AttributeRule attributeID="bar">
    <afp:PermitValueRule xsi:type="afp:Value" value="true" attributeID="hasFoo" ignoreCase="true" />
</afp:AttributeRule>

The documentation states:

* If no attributeID attribute is specified then it is a Matcher ...
* If an attributeID attribute is specified then it is a PolicyRule ...

I'm specifying attributeIDs, which by the docs makes it a PolicyRule but
I believe I'm using it as a Matcher?

--
Baron Fujimoto <[hidden email]> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: AttributeDefinition multivalued to single value attribute?

Rod Widdowson
 

> <afp:AttributeRule attributeID="bar">
>     <afp:PermitValueRule xsi:type="afp:Value" value="true" attributeID="hasFoo" ignoreCase="true" />
> </afp:AttributeRule>
>
> The documentation states:
>
> * If no attributeID attribute is specified then it is a Matcher ...
> * If an attributeID attribute is specified then it is a PolicyRule ...
>
> I'm specifying attributeIDs, which by the docs makes it a PolicyRule but
> I believe I'm using it as a Matcher?

Yes.  

My mind id deeply elsewhere right now and it would take me a while to swap the subtleties back in, but to my mind that argues that
you need to recast this so that can see what's going on when you come back to this in 6 months.

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]