Access to peer endpoint via scripted attribute resolver

Dave Goldhammer dave.goldhammer at Colorado.EDU
Thu May 12 01:51:49 EDT 2016

Scott, thanks for your reply. I was eventually able to access the
peer endpoint URL once I figured out that the SAMLEndpointContext is
a child of the SAMLPeerEntityContext and that I needed the outbound
message context. There may be alternate ways to accomplish this, but the
following works within a resolver script:

    msg = profileContext.getOutboundMessageContext();
    peer = msg.getSubcontext("org.opensaml.saml.common.messaging.context.SAMLPeerEntityContext");
    endpoint = peer.getSubcontext("org.opensaml.saml.common.messaging.context.SAMLEndpointContext").getEndpoint();
    location = endpoint.getLocation();

The above could be consolidated into a long one-liner if desired.

I started down this path as a result of an interesting request from
our Salesforce team related to licensing and user roles within the
application. They asked if we could modify an existing attribute when
a user logs on to a particular SP. From the IdP perspective, there
is a single Salesforce entityID with multiple endpoints defined in
the metadata. Adding another distinct Salesforce SP with a different
entityID creates some challenges from the Salesforce side of things.

Scott, would you be willing to elaborate on why this would be a bad
idea, as you noted in your original reply below?

Thank you,


On Tue, May 10, 2016 at 01:33:29PM +0000, Cantor, Scott wrote:
> > Hello, all. In the IdP (version 3.2.1, Java 1.7), I am attempting to
> > access the peer entity endpoint (URL) via an attribute resolver script.
> > I've currently been trying two variations. The first is as follows:
> org.opensaml.messaging.context is not a context class type.
> > The second attempt is:
> > 
> >"Blah: {}",
> > profileContext.getSubcontext("org.opensaml.saml.common.messaging.cont
> > ext.SAMLEndpointContext").getEndpoint());
> > 
> And that context isn't located beneath the PRC.
> > In general, I'm able to successfully retrieve and log various other
> > things via the resolver script, for example HttpServletRequest info via
> > customObjectRef, requestContext.getPeerEntityId(), and the relying party
> > ID via a call to "profileContext", but I am struggling with the peer
> > endpoint.
> profileContext.getInboundMessageContext() is the root of the tree you want. I don't recall offhand where the SAMLEndpointContext is in the tree.
> I'm not sure why you'd want to access this, but it probably would not be a good idea. You should absolutely not be basing any policy on it, that's for certain.
> -- Scott

More information about the users mailing list