SP Attribute Filter: type=basic:Script

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

SP Attribute Filter: type=basic:Script

Michael Nielsen

Hi!

 

I’d like to define a PermitValueRule on my SP as shown below (I think I have this mostly correct – at least the XML parses).

 

Shibd informs me: ERROR Shibboleth.AttributeFilter : error building PermitValueRule with type (basic:Script): Unknown plugin type.

 

The wiki page alludes to some functions not being supported in the attribute filter, but does not specify which are not.

 

Is the Script type supported on shibboleth 2.5.4?  If so, is there a particular plugin I need?

 

Or have I messed up the definition?

 

I would be very grateful for any help that you can offer.

 

                <AttributeFilter type="XML">

                        <afp:AttributeFilterPolicyGroup>

                                <afp:AttributeFilterPolicy id="restrictClientIds">

                                        <afp:PolicyRequirementRule xsi:type="basic:ANY" />

                                                <afp:AttributeRule attributeID="clientIds">

                                                        <afp:PermitValueRule xsi:type="basic:Script">

                                                                <basic:Script>

                                                                        <![CDATA[

                                                                        function evaluateRule(filterContext, attributeId, attributeValue) {

                                                                           const permittedClientIds = ["102","1001"];

                                                                           const reducer = (acc,v) => acc && permittedClients.includes(v);

                                                                           if (attributeId == null) return true;

                                                                           if (attributeValue == null) return true;

                                                                                var ca = attributeValue.split(";");

                                                                                var res = ca.reduce(reducer);

                                                                           return res;

                                                                        }

                                                                        evaluateRule(filterContext, attributeId, attributeValue);

                                                                        ]]>

                                                                </basic:Script>

                                                        </afp:PermitValueRule>

                                                </afp:AttributeRule>

                                </afp:AttributeFilterPolicy>

                        </afp:AttributeFilterPolicyGroup>

                </AttributeFilter>


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: SP Attribute Filter: type=basic:Script

Peter Schober
* Michael Nielsen <[hidden email]> [2018-05-27 19:54]:
> Is the Script type supported on shibboleth 2.5.4?  If so, is there a
> particular plugin I need?

The current support for Scripting is a function of the JVM (JSR 223),
so this is an IDP-only feature.

Depending on what you need you could either move that check to the
application, or maybe perform it after the SP has finished but before
redirecting back to the application (cf. sessionHook).

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: SP Attribute Filter: type=basic:Script

Michael Nielsen
Thank you Peter.

-----Original Message-----
From: users <[hidden email]> On Behalf Of Peter Schober
Sent: Monday, May 28, 2018 5:01 AM
To: [hidden email]
Subject: Re: SP Attribute Filter: type=basic:Script

* Michael Nielsen <[hidden email]> [2018-05-27 19:54]:
> Is the Script type supported on shibboleth 2.5.4?  If so, is there a
> particular plugin I need?

The current support for Scripting is a function of the JVM (JSR 223), so this is an IDP-only feature.

Depending on what you need you could either move that check to the application, or maybe perform it after the SP has finished but before redirecting back to the application (cf. sessionHook).

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]