scripted conditions for intercept flows

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

scripted conditions for intercept flows

Liam Hoekenga
Is "input" set to anything for "shibboleth.Conditions.Scripted" (specifically for context based intercept flows)?

Any pointers for accessing attributes / values in this situation?  Would it be something like what happens in the default copy of mfa-authn-config.xml?

Liam

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: scripted conditions for intercept flows

Cantor, Scott E.
On 12/6/18, 2:00 PM, "users on behalf of Liam Hoekenga" <[hidden email] on behalf of [hidden email]> wrote:

> Is "input" set to anything for "shibboleth.Conditions.Scripted" (specifically for context based intercept flows)?

shibboleth.Conditions.Scripted is a shortcut for
<bean id="shibboleth.Conditions.Scripted"
        class="net.shibboleth.idp.profile.logic.ScriptedPredicate" abstract="true" /> (see system/conf/utilities.xml)

That gets you to the Javadoc to answer your question as what its type is and what by definition "input" is going to be set to, which is ProfileRequestContext in this and most other cases.

That means it's usable when it's injected into a property that takes a Predicate<ProfileRequestContext> and that's what "input" is going to be set to.

> Any pointers for accessing attributes / values in this situation?

There are built-in classes (subclasses of the base class at [1]) for looking at attributes without any scripts, one of which is already in the context-check flow configuration in comments and then there's [2] describing the general contract of interceptors and what the tree looks like.

All of it is linked to the javadocs (the boxes in the wire diagrams in [2] all link to the corresponding class documentation).

-- Scott
[1] http://shibboleth.net/cgi-bin/java-idp.cgi/net.shibboleth.idp.profile.logic.AbstractAttributePredicate
[2] https://wiki.shibboleth.net/confluence/display/IDP30/ProfileHandling


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: scripted conditions for intercept flows

Liam Hoekenga

There are built-in classes (subclasses of the base class at [1]) for looking at attributes without any scripts, one of which is already in the context-check flow configuration in comments and then there's [2] describing the general contract of interceptors and what the tree looks like.

I think I specifically need to fetch the attribute values in a script... I need to compare the entityID of the relying party to values of an attribute (and it's currently a substring match).

Liam

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: scripted conditions for intercept flows

Liam Hoekenga
In reply to this post by Cantor, Scott E.
That means it's usable when it's injected into a property that takes a Predicate<ProfileRequestContext> and that's what "input" is going to be set to.

So I'm trying to follow the steps laid out in "Programming Guide to Attribute Resolution" (https://wiki.shibboleth.net/confluence/display/IDP30/AttributeResolver).

The examples I've found show something like..

    resCtx = profileContext.getSubcontext('net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext', true);

I looked in the source code,  and as far as I can tell the AttributeResolutionContext is a a subclass of the PRC (aka "org.opensaml.profile.context"), but when I try to set it, it comes back null.

Where should I be looking?

Liam



--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: scripted conditions for intercept flows

Cantor, Scott E.
On 12/6/18, 4:46 PM, "Liam Hoekenga" <[hidden email]> wrote:

> Where should I be looking?

Attributes are already resolved.

https://wiki.shibboleth.net/confluence/display/IDP30/ProfileHandling#ProfileHandling-Post-AuthenticationInterceptContract

PRC -> RelyingPartyContext -> AttributeContext

-- Scott











--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]