attribute resolver script

Michael Dahlberg olgamirth at gmail.com
Wed Nov 9 09:33:58 EST 2016


Ian:

Thank you very much!  The mapped attribute you provided worked perfectly
and did exactly what I needed (I didn't try your script suggestion).

Any suggestions on why/when you would choose a mapped attribute over a
scripted attribute?

Thanks again,
Mike

On Tue, Nov 8, 2016 at 4:43 PM, Ian Bobbitt <ibobbitt at globalnoc.iu.edu>
wrote:

> Mike,
>
> I believe bucknellEduPersonPrimaryAffiliation.getValues() should be
> bucknellEduPersonPrimaryAffiliation.getValues().get(0) but you would also
> probably be better served by a Mapped
> attribute instead. https://wiki.shibboleth.net/confluence/display/IDP30/
> MappedAttributeDefinition
>
> <resolver:AttributeDefinition id="eduPersonPrimaryAffiliation"
> xsi:type="ad:Mapped"
> sourceAttributeID="bucknellEduPersonPrimaryAffiliation">
>     <resolver:Dependency ref="myLDAP" />
>     <resolver:AttributeEncoder xsi:type="enc:SAML2String"
> name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5"
> friendlyName="eduPersonPrimaryAffiliation" encodeType="false" />
>     <ad:DefaultValue>member</ad:DefaultValue>
>     <ad:ValueMap>
>         <ad:ReturnValue>faculty</ad:ReturnValue>
>         <ad:SourceValue partialMatch="true">faculty</ad:SourceValue>
>     </ad:ValueMap>
>     <ad:ValueMap>
>         <ad:ReturnValue>staff</ad:ReturnValue>
>         <ad:SourceValue partialMatch="true">staff</ad:SourceValue>
>     </ad:ValueMap>
>     <ad:ValueMap>
>         <ad:ReturnValue>student</ad:ReturnValue>
>         <ad:SourceValue partialMatch="true">student</ad:SourceValue>
>     </ad:ValueMap>
>
>     <ad:ValueMap>
>         <ad:ReturnValue>alum</ad:ReturnValue>
>         <ad:SourceValue partialMatch="true">alum</ad:SourceValue>
>     </ad:ValueMap>
>  </resolver:AttributeDefinition>
>
> Ian
>
> On 11/8/16 3:18 PM, Michael Dahlberg wrote:
> > I'm trying to populate an attribute, eduPersonPrimaryAffiliation, from
> another attribute that I have available in our
> > LDAP structure, bucknellEduPersonPrimaryAffiliation.  Normally, I'd
> just release bucknellEduPersonPrimaryAffiliation and
> > be done with it.  Unfortunately, the SP requires a valid value in the
> attribute and there are a number of entries in our
> > LDAP structure for this attribute that have no value (or a "not real
> valid" value).  Based on this I tried writing the
> > following resolver script:
> >
> >     <resolver:AttributeDefinition id="eduPersonPrimaryAffiliation"
> >                                   xsi:type="ad:Script">
> >         <resolver:Dependency ref="myLDAP" />
> >         <resolver:AttributeEncoder xsi:type="enc:SAML1String"
> > name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" />
> >         <resolver:AttributeEncoder xsi:type="enc:SAML2String"
> name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5"
> > friendlyName="eduPersonPrimaryAffiliation" />
> >
> >    <ad:Script><![CDATA[
> >         // If the user has group membership
> >         if (typeof eduPersonAffiliation != "undefined" ){
> >             value = bucknellEduPersonPrimaryAffiliation.getValues();
> >
> >             if (value.contains("faculty")){
> >                 strPrimary = "faculty";
> >             } else if (value.contains("staff")){
> >                 strPrimary = "staff";
> >             } else if (value.contains("student")){
> >                 strPrimary = "student";
> >             } else if (value.contains("alum")){
> >                 strPrimary = "alum";
> >             } else {
> >                 strPrimary = "member";
> >             }
> >         }
> >         eduPersonPrimaryAffiliation.add(strPrimary);
> >         ]]></ad:Script>
> >
> >     </resolver:AttributeDefinition>
> >
> >
> > The IdP starts fine, but when I try and release the attribute
> eduPersonPrimaryAffiliation, the script tries adding a
> > number of attributes (uid, telephoneNumber, mail, etc) to
> eduPersonPrimaryAffiliation (as a "dependent attribute", which
> > they are clearly not) as well as the attribute retrieved from
> bucknellEduPersonPrimaryAffiliation and ultimately errors
> > out with the error:
> >
> > 14:57:45.050 - ERROR [net.shibboleth.idp.profile.impl.ResolveAttributes:257]
> - [134.82.79.6] - Profile Action
> > ResolveAttributes: Error resolving attributes
> > net.shibboleth.idp.attribute.resolver.ResolutionException: Attribute
> Definition 'eduPersonPrimaryAffiliation': unable to
> > execute script
> >
> > Any suggestions will be greatly appreciated.
> >
> > Thanks,
> > Mike
> >
> >
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20161109/e850186e/attachment-0001.html>


More information about the users mailing list