idpv3 attribute-resolver + PluginActivationConditions

Cantor, Scott cantor.2 at osu.edu
Thu Aug 27 09:38:17 EDT 2015 

On 8/27/15, 9:13 AM, "users on behalf of Rod Widdowson" <users-bounces at shibboleth.net on behalf of rdw at steadingsoftware.com> wrote:

>Answering the technical side only
>
>> Is possible to use ExternalAttributePluginActivationConditions
>> (shibboleth.Conditions.RelyingPartyId)
>> (https://wiki.shibboleth.net/confluence/display/IDP30/ExternalAttributePlu
>> ginActivationConditions)
>> with "RelyingPartyByGroup" ?
>
>Yes, but you would need to write the ActivationCondition yourself.  Java
>would be best but there is also scripted.

There are multiple types of beans mentioned here.

shibboleth.Conditions.* beans are Predicate<ProfileRequestContext> beans, the reusable conditions you can apply across a lot of different spots in the configuration.

RelyingPartyByGroup and the other RelyingParty* beans are local helpers for generating RelyingPartyConfiguration override beans in relying-party.xml, and are not in any way usable in other places like activation conditions. They're not conditions at all, they're of type RelyingPartyConfiguration.

There is, in fact, no built-in condition bean definition for reuse that does the group-based test. The Java code that instantiates that particular condition is:

final StrategyIndirectedPredicate<ProfileRequestContext,EntityDescriptor> indirectPredicate =
                new StrategyIndirectedPredicate<>(
                        Functions.compose(new EntityDescriptorLookupFunction(),new SAMLMetadataContextLookupFunction()),
                        new EntityGroupNamePredicate(groupNames));



Quite complex.

And of course I echo all the cautions, you should not use RelyingPartyByGroup except to reference groups maintained in local aggregates that you control.

In most cases, what you should use is an EntityAttribute metadata filter to "auto-tag" entities in a metadata feed with an entity attribute, and then apply a condition to that tag, but likewise I didn't predefine that as a bean.

You're welcome to file a request to have beans added to handle those cases more easily. Might already be one filed, I didn't look.

-- Scott

More information about the users mailing list