Developing login plugin

Good morning,

I’m working on modifying the Shibboleth-Totp plugin that was developed and is available on github so that it actually works with the MFA flow that’s available to the IDP now.  The way the plugin was originally developed, it runs its own password flow, and it needs to be referenced directly in idp.properties.  It was also written to use its own seed fetcher, which seems counter intuitive when the IdP has the attribute resolver available to it so I don’t see a point in reinventing the wheel creating new directory connections etc.

My question revolves around calling the attribute resolver, I’ve included some code below.  I currently have it working, but I want to make sure it’s working correctly based on the way the IdP is plumbed.  Many of the examples available use script provided via XML.  There’s not much out there for actually programming plugins.

High level:  The flow is called and it looks at the c14n principal name from the profileContext that’s passed to it.  It then hands off to an ‘AttributeSourcedSeedFetcher’ (code provided), which loads the username into an AttributeResolutionContext.

The AttributeResolutionContext needs the AttributeResolverService when resolveAtributes is called.  I’ve passed that in via a bean.  I then get the attribute, and remove the subcontext for the AttributeResolverContext.

Thanks all

Joe Fischetti

Note I’ve stripped out the unnecessary content below.

Username is passed in upstream via the profileRequestContext.  attrRes and seedAttribute are passed in via the bean below.

------------------------------------------

AttributeResolutionContext resCtx = (AttributeResolutionContext)profileRequestContext.getSubcontext(AttributeResolutionContext.class, true);

resCtx.setPrincipal(username);

                //Define the arraylist of attribute values to pass into the resolver

ArrayList<String> seedAttributeList = new ArrayList<String>();

seedAttributeList.add(seedAttribute);

                //Add the attribute names to the resolver

resCtx.setRequestedIdPAttributeNames(seedAttributeList);

                //Resolve the attributes

resCtx.resolveAttributes(attrRes);

                //Get the results

Map<String,IdPAttribute> attributeResults = resCtx.getResolvedIdPAttributes();

                //Get just the attribute we care about (This can be condensed into the line above)

IdPAttribute attribute = attributeResults.get(seedAttribute);

                //Parse the values

if (attribute != null) {

//Run through the returned values and act

}

else{

//Handle it

}

                //Remove the subcontext for the resolver (is this the ‘unpinning’?)

profileRequestContext.removeSubcontext(resCtx);

---------------------------------------

<!-- For AttributeSourcedSeedFetcher

Pass in the attrRes, and the seed attribute from the config file-->

<bean id="shibboleth.totp.seedfetcher" class="net.kvak.shibboleth.totpauth.authn.impl.seed.AttributeSourcedSeedFetcher"

p:attrRes-ref="shibboleth.AttributeResolverService">

<constructor-arg ref="shibboleth.authn.seedAttribute" />

</bean>

Joe Fischetti

Linux System Administrator

Marist College

E-mail: [hidden email]