Adding rpUIContext (and later a username) to error.vm

Cameron Kerr cameron.kerr at otago.ac.nz
Sun Feb 26 18:49:38 EST 2017 

Hi all, I have implemented some ContextCheck intercepts[2] for some major typical use-cases / headaches we have (eg. only users from a certain campus); we also have the IdP in question integrating with another SSO system using RemoteUserAuth[2]

[1] https://wiki.shibboleth.net/confluence/display/IDP30/ContextCheckInterceptConfiguration
[2] https://wiki.shibboleth.net/confluence/display/IDP30/RemoteUserAuthnConfiguration

I would like to be able to include in error.vm the following information, which would be of inestimable value for triaging faults for the Service Desk:


·         The user (if any) that was logged in (in case the user was logged in using an account they did not expect)

·         The serviceName of the Relying Party in question – what I’m currently working on.

With the assistance of the documentation on VelocityVariables[3], I’ve managed to get a nice, branded views/error.vm, but one that only has a subset of the information I would like to surface.

[3] https://wiki.shibboleth.net/confluence/display/IDP30/VelocityVariables

(I might also mention that this is templated using Ansible in my deployment)


    #if ($eventId == "AccessDenied" or $eventId == "ContextCheckDenied"
         or $eventId == "FailedRequirement_for_library_electronic_resources_users"
         or $eventId == "FailedRequirement_for_wellington_campus_only"
         )
    ## Added in an attempt to get a rpUIContext, but not quite there
    #set ($rpContext = $profileRequestContext.getSubcontext('net.shibboleth.idp.profile.context.RelyingPartyContext'))
        $response.setStatus(403)


And the following HTML

            <div style="font-weight: bold">
            #evaluate($message)
            </div>

            <div>
              <p>Please report the following additional information if submitting a Service Desk request.</p>
              <p>Service Provider ID: $encoder.encodeForHTML($rpContext.relyingPartyId)<p>
            </div>


And the user sees something like the following (my development environment is an SP in a vagrant box):

Service Provider ID: https://siteA.192.168.33.10.xip.io/shibboleth

As you can see, I could dig out the rpContext, but I can’t figure out how to get the rpUIContext[4] which would give me a (potentially) friendlier / more user-recognisable name.

[4] https://wiki.shibboleth.net/confluence/display/IDP30/RpUIContext

Grepping around, I saw in logout.vm something that set rpUIContext, so tried this:

    #set ($rpUIContext = $rpContext.getSubcontext("net.shibboleth.idp.ui.context.RelyingPartyUIContext"))

But the following doesn’t seem to encode to anything:

                $encoder.encodeForHTML($rpUIContext.getServiceName())
                $encoder.encodeForHTML($rpUIContext.serviceName)

Grepping further, I’m thinking that I’m on the right path, but wondering if I need to add something to my –flow.xml file, like what I see in the terms-of-use context-check.

I tried the following in my ${IDP_HOME}/flows/intercept/wellington_campus_only/wellington_campus_only-flow.xml  file, somewhat blindly duplicating what I found in ${IDP_HOME}/system/flows/intercept/terms-of-use-flow.xml:

<?xml version="1.0" encoding="UTF-8"?>
<!--
  Ansible managed
-->
<flow xmlns="http://www.springframework.org/schema/webflow"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://www.springframework.org/schema/webflow http://www.springframework.org/schema/webflow/spring-webflow.xsd"
      parent="intercept.abstract">

    <action-state id="ContextCheckSetup">  <!-- I added this node -->
       <evaluate expression="SetRPUIInformation" />
    </action-state>

    <decision-state id="CheckContext">
        <if test="ContextCheckPredicate.apply(opensamlProfileRequestContext)"
            then="proceed" else="FailedRequirement_for_wellington_campus_only" />
    </decision-state>

    <view-state id=" FailedRequirement_for_wellington_campus_only " view="#{flowRequestContext.activeFlow.id}">  <!-- I added this node, had to play with this to figure out that the ‘id’ should be the name of a state, I think  -->
        <on-render>
            <evaluate expression="SetRPUIInformation.getRPUIContextCreateStrategy().apply(opensamlProfileRequestContext)" result="viewScope.rpUIContext"/>
        </on-render>
    </view-state>

    <bean-import resource="wellington_campus_only-beans.xml" />

</flow>

… and through chasing error-messages and grepping, added this to the matching –beans.xml file:

    <bean id="SetRPUIInformation"
            class="net.shibboleth.idp.ui.impl.SetRPUIInformation" scope="prototype"
            p:httpServletRequest-ref="shibboleth.HttpServletRequest">
        <property name="fallbackLanguages">
            <bean parent="shibboleth.CommaDelimStringArray" c:_0="#{'%{idp.ui.fallbackLanguages:}'.trim()}" />
        </property>
    </bean>


And now I’m up  to the following error, presumably because what I would *like* to do is to add something to a view, but what I *think* I’m doing is actually creating a view (which has been automatically created as an end-state via conf/errors.xml)

2017-02-27 12:36:24,308 - ERROR [net.shibboleth.idp.profile.interceptor:-2] - Uncaught runtime exception
java.lang.IllegalArgumentException: This flow 'intercept/wellington_campus_only' already contains a state with id 'FailedRequirement_for_wellington_campus_only' -- state ids must be locally unique to the flow definition; existing state-ids of this flow include: array<String>['ContextCheckSetup', 'CheckContext', 'FailedRequirement_for_wellington_campus_only', 'proceed', 'InvalidProfileContext', 'MessageExpired', 'MessageReplay', 'MessageAuthenticationError', 'AttributeReleaseRejected', 'TermsRejected', 'ContextCheckDenied', 'RuntimeException', 'LogRuntimeException'']
                at org.springframework.webflow.engine.Flow.add(Flow.java:256)


This is my first foray into Spring Web Flow, so if anyone can help, I’d greatly appreciate it. I’ve tried moving the on-render and evaluate to different places, but just end up breaking XML validation.


Many thanks!
Cameron


Cameron Kerr
systems Engineer
Infrastructure & applications its
university of otago
T: +64 3 479 8191 | M: +64 021 479 527
E   : cameron.kerr at otago.ac.nz<mailto:cameron.kerr at otago.ac.nz>
W : www.otago.ac.nz/its<http://www.otago.ac.nz/its>


Te Wāhaka Matua Hakarau Māhiohio – ITS Services



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170226/ece75f98/attachment-0001.html>

More information about the users mailing list