IdP encoding error

Peter Schober peter.schober at univie.ac.at
Tue Feb 5 02:28:35 EST 2013 

* David Bantz <dabantz at alaska.edu> [2013-02-05 00:05]:
> On Mon, 4 Feb 2013, at 12:11 , Rod Widdowson <rdw at steadingsoftware.com> wrote:
> > can you enter a JIRA case?
> 
> I confess to not knowing at all how to do that...

Wiki home -> Developer resources -> Bug reports -> Log in -> type
"alaska" -> ... -> Create Issue. (Though Jira currently hangs for me
after doing that last step.)

>   <resolver:AttributeDefinition id="eduPersonPrincipalName" xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad">
>         <resolver:Dependency ref="myLDAP" />
>         <resolver:Dependency ref="uasystemid" />
>         <resolver:Dependency ref="uaadsystemid" />
> 
>         <resolver:AttributeEncoder xsi:type="SAML1ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
>             name="urn:mace:dir:attribute-def:eduPersonPrincipalName" />
> 
>         <resolver:AttributeEncoder xsi:type="SAML2ScopedString" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
>             name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" />

Jfyi, I always added encoders to another attribute definition that had
the scripted one as a dependency. That also works around the problem
of creating other attribute types in scripts, as you can have any
attribute defintion & encoders you need (scoped, nameid, etc.) just
depend on the values your script returns.

>         <Script>
>         <![CDATA[
>         importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
>         importPackage(Packages.org.slf4j);
> 
>         logger = LoggerFactory.getLogger("edu.internet2.middleware.shibboleth.resolver.Script.scriptTest");
>         logger.debug("Starting eduPersonPrincipalName Attribute Resolver Script:");

I guess that means you're missing a matching logging.xml entry for the
logger you created above (or something more general). Otherwise there
would have been lines from the logger.debug() calles you've been
making throughout the code?

>         if (eduPersonPrincipalName == null) {
>                 eduPersonPrincipalName = new BasicAttribute("eduPersonPrincipalName");
>         }
> 
>         if (typeof uasystemid != "undefined" && uasystemid != null && uasystemid.getValues().size() != 0){
>             logger.debug("EDIR LDAP Values: " + uasystemid.getValues());
>             for ( i = 0; i < uasystemid.getValues().size(); i++ ){
>                 value = uasystemid.getValues().get(i);
>                 eduPersonPrincipalName.getValues().add(new ScopedAttributeValue(value, "alaska.edu"));
>             }
>         }
>         else {
>             if (typeof uaadsystemid != "undefined" && uaadsystemid != null && uaadsystemid.getValues().size() != 0){
>                 logger.debug("AD LDAP Values: " + uaadsystemid.getValues());
>                 for ( i = 0; i < uaadsystemid.getValues().size(); i++ ){
>                     value = uaadsystemid.getValues().get(i);
>                     eduPersonPrincipalName.getValues().add(new ScopedAttributeValue(value, "alaska.edu"));
>                 }
>             }
>         }

What Rod said. I also doubt you can encode a BasicAttribute (which is
what you initially set eduPersonPrincipalName to, though there's no
way to know for me whether the attribute initially is in fact null) as
a ScopedAttribute, even though you add ScopedAttributeValue to it
later (no idea if that does anything useful).

I also don't see why you need to create a scoped attribute in here
since the scopes you're adding seem to be all the same. So you might
just as well only create the unscoped (left-hand side) part of the
principalname here and later depend on that in a scoped attribute
defintion that adds the scope (and matching encoder) to that. The
default resolver config has an example of that.
-peter

More information about the users mailing list