AuthnContextClassRef from SSP SP seeming to be ignored

Brent Putman putmanb at
Wed Jan 11 19:32:56 EST 2017

On 1/11/17 2:52 PM, Cantor, Scott wrote:

> I guess comparing a DEBUG log between the two SP cases maybe. Brent has a way of logging/printing the context tree inside the IdP but I haven't used it so I don't know how easy it is to get that into a script step or something like that, I think we talked about wiring that in as a feature people could more readily use but we haven't done that.

We have that action, yes, but the current version doesn't log the
context *data*, just the name of the context classes in the
hierarchical context tree structure.    It was primarily for
development/learning of flows, to facilitate determining and confirming
the fundamental structure of the emergent context tree at arbitrary
points-of-interest in the flows: what contexts are being added/removed,
what the parent/child relationships are, etc.

I did also experiment with trying to log the actual context data as
well.  You essentially need some support code that can use reflection
to serialize arbitrary objects. I tried Apache commons-lang, but I was
only able to get it to handle the immediate target that is passed; it
wouldn't reflectively recurse into object fields which are themselves
Objects, it just calls their toString().  Maybe it can do and just
needs more investigation.  In my notes on committers, I mentioned that
it looks like Spring has some serializer thingy too, but I don't recall
testing that.

If we can identify such a reflection-based "universal string
serializer" utility class somewhere that is acceptable, then I can
throw that in easily for the next release.  I still have the patch with
the commons-lang code, it's not complicated.

If someone does want to use the existing action as-is, just 2 steps:

1) Declare a single action bean somewhere visible to all flows in which
you want to use (e.g. conf/global.xml).  It's stateless, so you can
reuse multiple times in the flows as a singleton:

 <bean id="LogContextTree"
class="net.shibboleth.idp.profile.impl.LogContextTree" />

2) Insert the action expression in the SWF flow file(s) wherever you
want the logging to appear.  You can optionally add a description via a
SWF attribute if you want to contexualize the tree logging event:

     <action-state id="HandleOutboundMessage">
         <evaluate expression="HandleOutboundMessage" />

        *<evaluate expression="LogContextTree">**
**            <attribute name="contextTreeDescription" value="Pre
Encode Message" />**
**        </evaluate>*

         <evaluate expression="EncodeMessage" />
         <evaluate expression="RecordResponseComplete" />
         <evaluate expression="'proceed'" />

Doing #2 obviously means modifying the flows files under system (unless
it's your own custom flow), but that's probably ok for testing and


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list