Add a (unreleased) attribute to audit log

[Matthew Slowe]

Scott,

Thanks for the pointers. I'll have a play but have also logged an RFE.

Ta,
Matthew

On 12/06/2017 17:04, Cantor, Scott wrote:
> On 6/12/17, 11:36 AM, "users on behalf of Matthew Slowe" <users-bounces at shibboleth.net on behalf of M.Slowe at kent.ac.uk> wrote:
> 
>> Hmm, sounds a bit deeper than I'd hoped... where would I start with the script idea?
> 
> This is programming, and it's not meant to be anything else, but there's an example of a scripted context function in the MFA login flow configuration. The parent bean is "shibboleth.ContextFunctions.Scripted", and that implements the Function<ProfileRequestContext> interface by running the script and returning the script result.
> 
> The script needs to return, presumably in your case, a String.
> 
> If you literally want to expose an unreleased attribute, then you're looking for the AttributeContext underneath the ProfileRequestContext, and you'll have to refer to that javadoc and all the related classes to access the unfiltered IdPAttributes and get at their value(s). There's a getUnfilteredIdPAttributes method returning a map.
> 
> It's roughly:
> 
> input.getSubcontext(
>        "net.shibboleth.idp.attribute.context.AttributeContext"
>        ).getUnfilteredIdPAttributes().get("attrname").getValues()
> 
> You'd have to map the function bean to a field label and put it one of the audit field maps that's late enough in the process to be after attribute resolution.
> 
> That's really the best I can do in an email.
> 
> I have no objection to people filing RFEs against the documentation to ask for examples to get created, I just can't promise when it will happen. 
> 
> -- Scott
> 
> 


-- 
Matthew Slowe | Server Infrastructure Officer
IT Infrastructure, Information Services, University of Kent
Room S21, Cornwallis South
Canterbury, Kent, CT2 7NZ, UK
Tel: +44 (0)1227 824265

www.kent.ac.uk/is | @UnikentUnseenIT | @UKCLibraryIt
PGP: https://keybase.io/fooflington