Use group for MFA

Brandon McKean mckeanbs at
Mon May 22 10:36:25 EDT 2017

I've given that example a shot, but I keep getting a NullPointerException:

> 2017-05-22 10:28:26,531 - ERROR [net.shibboleth.idp.authn:-2] - 
> Uncaught runtime exception
> java.lang.NullPointerException: null
>         at 
> net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext.resolveAttributes(
> 2017-05-22 10:28:26,570 - WARN 
> [org.opensaml.profile.action.impl.LogEvent:105] - A non-proceed event 
> occurred while processing the request: RuntimeException
Am I missing something? I'm guessing it means that I should change 
"custom" within this to something else:

> resCtx.resolveAttributes(custom);
But I'm at a loss as to what.

Any help would be appreciated.


Brandon McKean
IT / Systems
Linux Administrator

On 05/11/2017 07:43 PM, Cantor, Scott wrote:
> On 5/11/17, 6:41 PM, "users on behalf of Andrew Morgan" <users-bounces at on behalf of morgan at> wrote:
>>> The only thing it doesn't show at the moment is it populating the
>>> attribute "recipient" name which some people want to use in their
>>> resolver scripts but most don't need it.
>> What are you talking about here regarding "recipient"?  I don't see that
>> word in the wiki example...
> I was saying it's *not* in the example, there are threads in the archive about the relying party name not being populated in the resolver when it runs this way. Getting it set requires calling the setAttributeRecipient method on the AttributeResolutionContext it's setting up in the script and I was saying the example(s) don't show that at the moment.
> The issue I've mentioned in the past is that you don't need to do weird things in the resolver scripts. If you need the relying party name populated for scripts there to work, it can just be populated into the context by the MFA rule running the resolver, rather than having to add weird look-aside code in the resolver scripts.
> -- Scott

More information about the users mailing list