generating scoped attributes in ad:Script

Peter Schober peter.schober at
Thu Feb 21 20:00:30 EST 2013

Is it possible to generate attributes in a type="Script" attribute
definition other than instantiations of BasicAttribute, e.g. scoped

A (slightly contrived/convoluted) use case is be as follows:
* If a (scoped) attribute exists in LDAP, use that (e.g. ePPN)
* Otherwise create a scoped attribute based on another attribute's
  value (e.g. uid) + scope

(I don't think this can be done by any other attribute defintion but
Scipt. Even ignoring the fact that one attribute's value would be
prescoped and the other not, iterating over attributes taking the
first nonempty one could be easier, e.g. using a precedence list
approach like the SP uses for REMOTE_USER?)

I can't just attach SAML2ScopedString encoders to the result of the script:

  java.lang.ClassCastException: java.lang.String cannot be cast to

What I can do is create a (scoped) string in the Script and pull that
as a Dependency from a Prescoped attribute definition with the proper
But that has the ugly side effect of changing the attribute
definition's id everywhere and so attribute filters need to change
accordingly and audit log lines will differ from that point on (making
tools processing these brittle).

The reason for the (unwanted) id change is that I can't name the
Script attribute definition with just any id, AFAIU it needs to have
the id of the attribute it generates (in this example "eduPersonPrincipalName").

>From that follows that I can't also name the Prescoped attribute
definition id="eduPersonPrincipalName", which is what ultimately gets
referenced in the filter, and audit-logged when released.

More information about the users mailing list