attribute resolver script
Michael Dahlberg
olgamirth at gmail.com
Wed Nov 9 09:33:58 EST 2016
Ian:
Thank you very much! The mapped attribute you provided worked perfectly
and did exactly what I needed (I didn't try your script suggestion).
Any suggestions on why/when you would choose a mapped attribute over a
scripted attribute?
Thanks again,
Mike
On Tue, Nov 8, 2016 at 4:43 PM, Ian Bobbitt <ibobbitt at globalnoc.iu.edu>
wrote:
> Mike,
>
> I believe bucknellEduPersonPrimaryAffiliation.getValues() should be
> bucknellEduPersonPrimaryAffiliation.getValues().get(0) but you would also
> probably be better served by a Mapped
> attribute instead. https://wiki.shibboleth.net/confluence/display/IDP30/
> MappedAttributeDefinition
>
> <resolver:AttributeDefinition id="eduPersonPrimaryAffiliation"
> xsi:type="ad:Mapped"
> sourceAttributeID="bucknellEduPersonPrimaryAffiliation">
> <resolver:Dependency ref="myLDAP" />
> <resolver:AttributeEncoder xsi:type="enc:SAML2String"
> name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5"
> friendlyName="eduPersonPrimaryAffiliation" encodeType="false" />
> <ad:DefaultValue>member</ad:DefaultValue>
> <ad:ValueMap>
> <ad:ReturnValue>faculty</ad:ReturnValue>
> <ad:SourceValue partialMatch="true">faculty</ad:SourceValue>
> </ad:ValueMap>
> <ad:ValueMap>
> <ad:ReturnValue>staff</ad:ReturnValue>
> <ad:SourceValue partialMatch="true">staff</ad:SourceValue>
> </ad:ValueMap>
> <ad:ValueMap>
> <ad:ReturnValue>student</ad:ReturnValue>
> <ad:SourceValue partialMatch="true">student</ad:SourceValue>
> </ad:ValueMap>
>
> <ad:ValueMap>
> <ad:ReturnValue>alum</ad:ReturnValue>
> <ad:SourceValue partialMatch="true">alum</ad:SourceValue>
> </ad:ValueMap>
> </resolver:AttributeDefinition>
>
> Ian
>
> On 11/8/16 3:18 PM, Michael Dahlberg wrote:
> > I'm trying to populate an attribute, eduPersonPrimaryAffiliation, from
> another attribute that I have available in our
> > LDAP structure, bucknellEduPersonPrimaryAffiliation. Normally, I'd
> just release bucknellEduPersonPrimaryAffiliation and
> > be done with it. Unfortunately, the SP requires a valid value in the
> attribute and there are a number of entries in our
> > LDAP structure for this attribute that have no value (or a "not real
> valid" value). Based on this I tried writing the
> > following resolver script:
> >
> > <resolver:AttributeDefinition id="eduPersonPrimaryAffiliation"
> > xsi:type="ad:Script">
> > <resolver:Dependency ref="myLDAP" />
> > <resolver:AttributeEncoder xsi:type="enc:SAML1String"
> > name="urn:mace:dir:attribute-def:eduPersonPrimaryAffiliation" />
> > <resolver:AttributeEncoder xsi:type="enc:SAML2String"
> name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5"
> > friendlyName="eduPersonPrimaryAffiliation" />
> >
> > <ad:Script><![CDATA[
> > // If the user has group membership
> > if (typeof eduPersonAffiliation != "undefined" ){
> > value = bucknellEduPersonPrimaryAffiliation.getValues();
> >
> > if (value.contains("faculty")){
> > strPrimary = "faculty";
> > } else if (value.contains("staff")){
> > strPrimary = "staff";
> > } else if (value.contains("student")){
> > strPrimary = "student";
> > } else if (value.contains("alum")){
> > strPrimary = "alum";
> > } else {
> > strPrimary = "member";
> > }
> > }
> > eduPersonPrimaryAffiliation.add(strPrimary);
> > ]]></ad:Script>
> >
> > </resolver:AttributeDefinition>
> >
> >
> > The IdP starts fine, but when I try and release the attribute
> eduPersonPrimaryAffiliation, the script tries adding a
> > number of attributes (uid, telephoneNumber, mail, etc) to
> eduPersonPrimaryAffiliation (as a "dependent attribute", which
> > they are clearly not) as well as the attribute retrieved from
> bucknellEduPersonPrimaryAffiliation and ultimately errors
> > out with the error:
> >
> > 14:57:45.050 - ERROR [net.shibboleth.idp.profile.impl.ResolveAttributes:257]
> - [134.82.79.6] - Profile Action
> > ResolveAttributes: Error resolving attributes
> > net.shibboleth.idp.attribute.resolver.ResolutionException: Attribute
> Definition 'eduPersonPrimaryAffiliation': unable to
> > execute script
> >
> > Any suggestions will be greatly appreciated.
> >
> > Thanks,
> > Mike
> >
> >
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20161109/e850186e/attachment-0001.html>
More information about the users
mailing list