eduPersonAssurance and postAuthContext principals scripted attribute

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

eduPersonAssurance and postAuthContext principals scripted attribute

Mak, Steve
Hey list I had a question for implementers.

I'm curious if anyone has built in v4 IdP an eduPersonAssurance attribute. It looks like AWS can't use authnContextClassRef for this type of thing.

I'm currently looking for useful resources for how to build a script for this based on a users authContext principals, or maybe using an activation-condition for it. We don't have any value we can use in our IdP DB.

I was thinking the logic could look like this:

1. At attribute resolve time parse the list of authContext principals.
2. If one of the principals equals 'urn..TimeSyncToken' then set eduPersonAssurance to some MFA-like/Gold/High value.

Thanks,
Steve Mak

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: eduPersonAssurance and postAuthContext principals scripted attribute

Cantor, Scott E.
On 7/30/20, 11:32 AM, "users on behalf of Mak, Steve" <[hidden email] on behalf of [hidden email]> wrote:

>    I'm currently looking for useful resources for how to build a script for this based on a users authContext principals, or
> maybe using an activation-condition for it. We don't have any value we can use in our IdP DB.

https://wiki.shibboleth.net/confluence/display/IDP4/SubjectDerivedAttributeAttributeDefinition

Use the attributeValuesFunctionRef hook to inject a script that just checks for the relevant type of Principal and value and builds the values to return. The function/script will be called for every Principal.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: eduPersonAssurance and postAuthContext principals scripted attribute

Mak, Steve
This is what I wrote to get eduPersonAssurance working. Can anyone see if I did anything horribly wrong?

global.xml

    <bean id="eduAssuranceBuilder" parent="shibboleth.Functions.Scripted" factory-method="inlineScript">
        <constructor-arg>
            <value><![CDATA[

                if (input.getName() === 'urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken' ) {
                    logger = Java.type("org.slf4j.LoggerFactory").getLogger("resolver.eduAssuranceBuilder")
                    logger.debug("Build the eduPersonAssurance value with this: {}", input)

                    IdPAttributeValue = Java.type('net.shibboleth.idp.attribute.StringAttributeValue')
                    ArrayList = Java.type('java.util.ArrayList')
                    returnValue = new ArrayList()
                    attribute = new IdPAttributeValue('MFA')
                    returnValue.add(attribute)

                    returnValue
                }
            ]]>
            </value>
        </constructor-arg>
    </bean>

resolver.xml

    <AttributeDefinition id="eduPersonAssurance" xsi:type="Simple">
        <InputAttributeDefinition ref="eduPersonAssuranceSource"/>
    </AttributeDefinition>
    <AttributeDefinition id="eduPersonAssuranceSource" xsi:type="SubjectDerivedAttribute" attributeValuesFunctionRef="eduAssuranceBuilder" />



Thanks,
Steve

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: eduPersonAssurance and postAuthContext principals scripted attribute

Cantor, Scott E.
On 7/30/20, 4:14 PM, "users on behalf of Mak, Steve" <[hidden email] on behalf of [hidden email]> wrote:

>    This is what I wrote to get eduPersonAssurance working. Can anyone see if I did anything horribly wrong?

Strictly speaking I would probably test the input object's type with instanceof to make sure it's an AuthnContextClassRefPrincipal. Not that there's a real chance of a user by that name, but you take the point.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]