generating scoped attributes in ad:Script
Peter Schober
peter.schober at univie.ac.at
Thu Feb 21 20:00:30 EST 2013
Is it possible to generate attributes in a type="Script" attribute
definition other than instantiations of BasicAttribute, e.g. scoped
attributes?
A (slightly contrived/convoluted) use case is be as follows:
* If a (scoped) attribute exists in LDAP, use that (e.g. ePPN)
* Otherwise create a scoped attribute based on another attribute's
value (e.g. uid) + scope
(I don't think this can be done by any other attribute defintion but
Scipt. Even ignoring the fact that one attribute's value would be
prescoped and the other not, iterating over attributes taking the
first nonempty one could be easier, e.g. using a precedence list
approach like the SP uses for REMOTE_USER?)
I can't just attach SAML2ScopedString encoders to the result of the script:
java.lang.ClassCastException: java.lang.String cannot be cast to
edu.internet2.middleware.shibboleth.common.attribute.provider.ScopedAttributeValue
What I can do is create a (scoped) string in the Script and pull that
as a Dependency from a Prescoped attribute definition with the proper
encoders.
But that has the ugly side effect of changing the attribute
definition's id everywhere and so attribute filters need to change
accordingly and audit log lines will differ from that point on (making
tools processing these brittle).
The reason for the (unwanted) id change is that I can't name the
Script attribute definition with just any id, AFAIU it needs to have
the id of the attribute it generates (in this example "eduPersonPrincipalName").
>From that follows that I can't also name the Prescoped attribute
definition id="eduPersonPrincipalName", which is what ultimately gets
referenced in the filter, and audit-logged when released.
-peter
More information about the users
mailing list