idpv3 attribute-resolver + PluginActivationConditions
Jarno Huuskonen
jarno.huuskonen at uef.fi
Mon Aug 31 03:07:26 EDT 2015
Hi,
(Thanks to everyone for help !)
On Thu, Aug 27, Cantor, Scott wrote:
> On 8/27/15, 9:13 AM, "users on behalf of Rod Widdowson" <users-bounces at shibboleth.net on behalf of rdw at steadingsoftware.com> wrote:
>
> >Answering the technical side only
> >
> >> Is possible to use ExternalAttributePluginActivationConditions
> >> (shibboleth.Conditions.RelyingPartyId)
> >> (https://wiki.shibboleth.net/confluence/display/IDP30/ExternalAttributePlu
> >> ginActivationConditions)
> >> with "RelyingPartyByGroup" ?
> >
> And of course I echo all the cautions, you should not use RelyingPartyByGroup except to reference groups maintained in local aggregates that you control.
>
> In most cases, what you should use is an EntityAttribute metadata filter to "auto-tag" entities in a metadata feed with an entity attribute, and then apply a condition to that tag, but likewise I didn't predefine that as a bean.
So something like this would tag all entityIDs in metadata:
<MetadataFilter xsi:type="EntityAttributes">
<saml:Attribute Name="https://sp.example.org/tagname1">
<saml:AttributeValue>foo</saml:AttributeValue>
</saml:Attribute>
<ConditionRef="tagall">
</MetadataFilter>
<bean id="tagall" factory-method="alwaysTrue" class="com.google.common.base.Predicates"/>
> You're welcome to file a request to have beans added to handle those cases more easily. Might already be one filed, I didn't look.
I didn't find one with "EntityAttribute" in idp (IDP-734, IDP-739 are
not usable with attribute resolver ?)
-Jarno
--
Jarno Huuskonen
More information about the users
mailing list