Handling New User Memberships
Brandon McKean
mckeanbs at jmu.edu
Wed May 10 08:39:48 EDT 2017
I was aiming for more of a regex style of match. I was able to get the
SimpleAttributePredicate working with an attribute that only produces
one value, so what I've done now is invent a new scripted attribute that
produces a one value result to then be used by ContextCheckPredicate.
Basically this in attribute resolver:
> <resolver:AttributeDefinition xsi:type="ad:Script" id="userblock">
> <resolver:Dependency ref="jmuad" />
> <resolver:AttributeEncoder xsi:type="enc:SAML2String"
> name="userblock" />
> <ad:Script>
> <![CDATA[
> var values = eduPersonScopedAffiliation.getValues();
> var regex = /student|staff|faculty/
> if ( regex.test(values) )
> {
> userblock.addValue("yes");
> }
> else {
> userblock.addValue("no");
> }
> ]]>
> </ad:Script>
> </resolver:AttributeDefinition>
and this as the contextcheckpredicate
>
> <bean id="ContextCheckPredicate"
> class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate"
> p:useUnfilteredAttributes="true">
> <property name="attributeValueMap">
> <map>
> <entry key="userblock">
> <list>
> <value>yes</value>
> </list>
> </entry>
> </map>
> </property>
> </bean>
Is this a good way to handle what I'm trying to do? It does work either
way but if there's a recommended approach I'd rather do that.
Thanks,
--
Brandon McKean
IT / Systems
Linux Administrator
(540)568-4235
On 05/09/2017 05:01 PM, Cantor, Scott wrote:
> On 5/9/17, 3:32 PM, "users on behalf of Brandon McKean" <users-bounces at shibboleth.net on behalf of mckeanbs at jmu.edu> wrote:
>
>> While it's processed by Shibboleth, it doesn't seem to be using the
>> attribute as expected:
> I don't know what you're expecting but it looks like the attribute isn't there and I would assume it would block access in that case.
>
> -- Scott
>
>
More information about the users
mailing list