Adding rpUIContext (and later a username) to error.vm
Cameron Kerr
cameron.kerr at otago.ac.nz
Sun Feb 26 18:49:38 EST 2017
Hi all, I have implemented some ContextCheck intercepts[2] for some major typical use-cases / headaches we have (eg. only users from a certain campus); we also have the IdP in question integrating with another SSO system using RemoteUserAuth[2]
[1] https://wiki.shibboleth.net/confluence/display/IDP30/ContextCheckInterceptConfiguration
[2] https://wiki.shibboleth.net/confluence/display/IDP30/RemoteUserAuthnConfiguration
I would like to be able to include in error.vm the following information, which would be of inestimable value for triaging faults for the Service Desk:
· The user (if any) that was logged in (in case the user was logged in using an account they did not expect)
· The serviceName of the Relying Party in question – what I’m currently working on.
With the assistance of the documentation on VelocityVariables[3], I’ve managed to get a nice, branded views/error.vm, but one that only has a subset of the information I would like to surface.
[3] https://wiki.shibboleth.net/confluence/display/IDP30/VelocityVariables
(I might also mention that this is templated using Ansible in my deployment)
#if ($eventId == "AccessDenied" or $eventId == "ContextCheckDenied"
or $eventId == "FailedRequirement_for_library_electronic_resources_users"
or $eventId == "FailedRequirement_for_wellington_campus_only"
)
## Added in an attempt to get a rpUIContext, but not quite there
#set ($rpContext = $profileRequestContext.getSubcontext('net.shibboleth.idp.profile.context.RelyingPartyContext'))
$response.setStatus(403)
And the following HTML
<div style="font-weight: bold">
#evaluate($message)
</div>
<div>
<p>Please report the following additional information if submitting a Service Desk request.</p>
<p>Service Provider ID: $encoder.encodeForHTML($rpContext.relyingPartyId)<p>
</div>
And the user sees something like the following (my development environment is an SP in a vagrant box):
Service Provider ID: https://siteA.192.168.33.10.xip.io/shibboleth
As you can see, I could dig out the rpContext, but I can’t figure out how to get the rpUIContext[4] which would give me a (potentially) friendlier / more user-recognisable name.
[4] https://wiki.shibboleth.net/confluence/display/IDP30/RpUIContext
Grepping around, I saw in logout.vm something that set rpUIContext, so tried this:
#set ($rpUIContext = $rpContext.getSubcontext("net.shibboleth.idp.ui.context.RelyingPartyUIContext"))
But the following doesn’t seem to encode to anything:
$encoder.encodeForHTML($rpUIContext.getServiceName())
$encoder.encodeForHTML($rpUIContext.serviceName)
Grepping further, I’m thinking that I’m on the right path, but wondering if I need to add something to my –flow.xml file, like what I see in the terms-of-use context-check.
I tried the following in my ${IDP_HOME}/flows/intercept/wellington_campus_only/wellington_campus_only-flow.xml file, somewhat blindly duplicating what I found in ${IDP_HOME}/system/flows/intercept/terms-of-use-flow.xml:
<?xml version="1.0" encoding="UTF-8"?>
<!--
Ansible managed
-->
<flow xmlns="http://www.springframework.org/schema/webflow"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd"
parent="intercept.abstract">
<action-state id="ContextCheckSetup"> <!-- I added this node -->
<evaluate expression="SetRPUIInformation" />
</action-state>
<decision-state id="CheckContext">
<if test="ContextCheckPredicate.apply(opensamlProfileRequestContext)"
then="proceed" else="FailedRequirement_for_wellington_campus_only" />
</decision-state>
<view-state id=" FailedRequirement_for_wellington_campus_only " view="#{flowRequestContext.activeFlow.id}"> <!-- I added this node, had to play with this to figure out that the ‘id’ should be the name of a state, I think -->
<on-render>
<evaluate expression="SetRPUIInformation.getRPUIContextCreateStrategy().apply(opensamlProfileRequestContext)" result="viewScope.rpUIContext"/>
</on-render>
</view-state>
<bean-import resource="wellington_campus_only-beans.xml" />
</flow>
… and through chasing error-messages and grepping, added this to the matching –beans.xml file:
<bean id="SetRPUIInformation"
class="net.shibboleth.idp.ui.impl.SetRPUIInformation" scope="prototype"
p:httpServletRequest-ref="shibboleth.HttpServletRequest">
<property name="fallbackLanguages">
<bean parent="shibboleth.CommaDelimStringArray" c:_0="#{'%{idp.ui.fallbackLanguages:}'.trim()}" />
</property>
</bean>
And now I’m up to the following error, presumably because what I would *like* to do is to add something to a view, but what I *think* I’m doing is actually creating a view (which has been automatically created as an end-state via conf/errors.xml)
2017-02-27 12:36:24,308 - ERROR [net.shibboleth.idp.profile.interceptor:-2] - Uncaught runtime exception
java.lang.IllegalArgumentException: This flow 'intercept/wellington_campus_only' already contains a state with id 'FailedRequirement_for_wellington_campus_only' -- state ids must be locally unique to the flow definition; existing state-ids of this flow include: array<String>['ContextCheckSetup', 'CheckContext', 'FailedRequirement_for_wellington_campus_only', 'proceed', 'InvalidProfileContext', 'MessageExpired', 'MessageReplay', 'MessageAuthenticationError', 'AttributeReleaseRejected', 'TermsRejected', 'ContextCheckDenied', 'RuntimeException', 'LogRuntimeException'']
at org.springframework.webflow.engine.Flow.add(Flow.java:256)
This is my first foray into Spring Web Flow, so if anyone can help, I’d greatly appreciate it. I’ve tried moving the on-render and evaluate to different places, but just end up breaking XML validation.
Many thanks!
Cameron
Cameron Kerr
systems Engineer
Infrastructure & applications its
university of otago
T: +64 3 479 8191 | M: +64 021 479 527
E : cameron.kerr at otago.ac.nz<mailto:cameron.kerr at otago.ac.nz>
W : www.otago.ac.nz/its<http://www.otago.ac.nz/its>
Te Wāhaka Matua Hakarau Māhiohio – ITS Services
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170226/ece75f98/attachment-0001.html>
More information about the users
mailing list