activationConditions using an attribute value

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

activationConditions using an attribute value

Marco Naimoli
Hi, I'm trying to use an activation condition (based on an attribute
value) to control the

generation of other attributes, but I'm unable to make it work (I've
followed examples from

https://wiki.shibboleth.net/confluence/display/IDP30/ActivationConditions)

The idea is something like: the activation rule is "the user has a
specific value on a specific attribute"

and some other attributes has that activationConditionRef attached

Before going on with questions, I'd like to know if what I'm trying to
do is possible or not

Thank you very much

Marco

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: activationConditions using an attribute value

Peter Schober
* Marco Naimoli <[hidden email]> [2018-07-11 16:50]:
> Before going on with questions, I'd like to know if what I'm trying
> to do is possible or not

Yes (as far as that can besaid based on the details you have provided
so far).

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: activationConditions using an attribute value

Marco Naimoli
Thank you Peter. My configuration is:

<!-- This was created just for testing purposes -->
     <DataConnector id="testStaticAttribute" xsi:type="Static">
         <Attribute id="attribute1">
             <Value>value1</Value>
         </Attribute>
     </DataConnector>

<AttributeDefinition id="myTest" xsi:type="Simple"
sourceAttributeID="attribute1" activationConditionRef="isInternal">
     <Dependency ref="testStaticAttribute" />
     <AttributeEncoder xsi:type="SAML2String"
name="https://my.static.attr"  friendlyName="mytest" />
</AttributeDefinition>

<!-- when a user has employeeType='external' then
unipdEmployeeType="NO", otherwise unipdEmployeeType="OK" -->
<AttributeDefinition id="unipdEmployeeType" xsi:type="Mapped"
sourceAttributeID="employeeType" dependencyOnly="true">
     <Dependency ref="openldap_activation" />
     <DefaultValue>OK</DefaultValue>
     <ValueMap>
         <ReturnValue>NO</ReturnValue>
         <SourceValue>external</SourceValue>
     </ValueMap>
</AttributeDefinition>

     <bean id="internalUser"
class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate"
p:useUnfilteredAttributes="true">
         <property name="attributeValueMap">
             <map>
                 <entry key="unipdEmployeeType">
                     <list>
                         <value>OK</value>
                     </list>
                 </entry>
             </map>
         </property>
     </bean>

<!-- I'm using the "OR" condition because my plans are to add other SPs
to the list -->
     <bean id="permitRP" parent="shibboleth.Conditions.OR">
         <constructor-arg>
             <list>
                 <bean parent="shibboleth.Conditions.RelyingPartyId"
c:_0="https://sp.example.net/shibboleth" />
             </list>
         </constructor-arg>
     </bean>

<!-- the condition is: when the unipdEmployeeType="OK" OR the SP is one
of the list, then proceed -->
     <bean id="isInternal" parent="shibboleth.Conditions.OR">
         <constructor-arg>
             <list>
                 <bean parent="permitRP"/>
                 <bean parent="internalUser"/>
             </list>
         </constructor-arg>
     </bean>

Everything works fine when the SP is https://sp.example.net/shibboleth 
(so one of the two conditions are met), I see the correct value of myTest
using aacli; otherwise it doesn't work, myTest has no value and in
idp-process.log I see:

Resolver plugin 'myTest': activation criteria not met, nothing to do

Thank you
Marco

Il 11/07/2018 17:00, Peter Schober ha scritto:
> * Marco Naimoli <[hidden email]> [2018-07-11 16:50]:
>> Before going on with questions, I'd like to know if what I'm trying
>> to do is possible or not
> Yes (as far as that can besaid based on the details you have provided
> so far).
>
> -peter


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: activationConditions using an attribute value

Cantor, Scott E.
This was covered on the list a while ago, it's impossible to use any existing code, and impossible to rely on fully public APIs, to check "being resolved" attributes in an activationCondition for another resolver plugin. It's certainly not possible with the SimpleAtributePredicate, that is explicitly built to look for attributes in the final resting place after resolution. It takes custom Java or scripting and use of internal working state of the resolver.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: activationConditions using an attribute value

Marco Naimoli
Hello Scott, I'll try with a scripted condition

Thank you
Marco


Il 11/07/2018 17:59, Cantor, Scott ha scritto:
> This was covered on the list a while ago, it's impossible to use any existing code, and impossible to rely on fully public APIs, to check "being resolved" attributes in an activationCondition for another resolver plugin. It's certainly not possible with the SimpleAtributePredicate, that is explicitly built to look for attributes in the final resting place after resolution. It takes custom Java or scripting and use of internal working state of the resolver.
>
> -- Scott
>

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]