Change the "name=" value for the UID attribute definition for specific entityIDs

Joseph Fischetti Joseph.Fischetti at marist.edu
Thu Oct 5 09:29:12 EDT 2017 

I'm asking what the preferred way of adding/referencing an activation condition would be.

I also have a few notes after testing (and I could submit updates to the wiki).


> services.xml is for defining the resources (i.e. files) containing beans to load into services, not for defining the beans themselves.

Per the examples in services.xml, beans are defined and then referenced within services.xml. Based on those examples, it seems logical to put the following in services.xml:

<bean id="MyCondition" parent="shibboleth.Conditions.RelyingPartyId"
c:candidate="https://sp.example.com/shibboleth" />

<util:list id="shibboleth.RelyingPartyResolverResources">
<ref bean="MyCondition"/>
<value>%{idp.home}/conf/relying-party.xml</value>
<value>%{idp.home}/conf/credentials.xml</value>
<value>%{idp.home}/system/conf/relying-party-system.xml</value>
</util:list>


Is it preferable instead to create a new xml file (relying-party-custom-beans.xml), and add that as another <value> line within shibboleth.RelyingPartyResolverResources as you've suggested?



At any rate, I do have the desired functionality after making the above changes to services.xml, with a couple caveats. 
1) I get an error [error] when trying to reference the bean in shibboleth.RelyingPartyResolverResources. I needed to reference it in shibboleth.LegacyRelyingPartyResolverResources. 

2) In order for the attributes to be resolved/release properly, I had to define the attribute with the activation condition first in attribute-resolver.xml. [Definitions]

The SP referenced in MyCondition (a CAS5-dev server using pac4j) get's "UDC_IDENTIFIER", and the SP that isn't referenced in MyCondition (an older CAS dev server with an SP in front of it) gets "https://it.marist.edu/attributes/UDC_IDENTIFIER". With the order in attribute-resolver.xml reversed, neither SP received the attribute.




[error]
2017-10-05 09:20:12,771 - ERROR [org.springframework.web.context.ContextLoader:351] - Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'shibboleth.RelyingPartyResolverService' defined in file [/opt/shibboleth-idp/system/conf/services-system.xml]: Initialization of bean failed; nested exception is org.springframework.beans.TypeMismatchException: Failed to convert property value of type [java.util.ArrayList] to required type [java.util.List] for property 'serviceConfigurations'; nested exception is java.lang.IllegalArgumentException: Cannot convert value of type [net.shibboleth.idp.profile.logic.RelyingPartyIdPredicate] to required type [org.springframework.core.io.Resource] for property 'serviceConfigurations[0]': PropertyEditor [org.springframework.core.io.ResourceEditor] returned inappropriate value of type [net.shibboleth.idp.profile.logic.RelyingPartyIdPredicate]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:553)
Caused by: org.springframework.beans.TypeMismatchException: Failed to convert property value of type [java.util.ArrayList] to required type [java.util.List] for property 'serviceConfigurations'; nested exception is java.lang.IllegalArgumentException: Cannot convert value of type [net.shibboleth.idp.profile.logic.RelyingPartyIdPredicate] to required type [org.springframework.core.io.Resource] for property 'serviceConfigurations[0]': PropertyEditor [org.springframework.core.io.ResourceEditor] returned inappropriate value of type [net.shibboleth.idp.profile.logic.RelyingPartyIdPredicate]
at org.springframework.beans.AbstractNestablePropertyAccessor.convertIfNecessary(AbstractNestablePropertyAccessor.java:596)
Caused by: java.lang.IllegalArgumentException: Cannot convert value of type [net.shibboleth.idp.profile.logic.RelyingPartyIdPredicate] to required type [org.springframework.core.io.Resource] for property 'serviceConfigurations[0]': PropertyEditor [org.springframework.core.io.ResourceEditor] returned inappropriate value of type [net.shibboleth.idp.profile.logic.RelyingPartyIdPredicate]
at org.springframework.beans.TypeConverterDelegate.convertIfNecessary(TypeConverterDelegate.java:302)

[Definitions]

<AttributeDefinition xsi:type="Simple" id="UDC_IDENTIFIER" sourceAttributeID="edupersonprincipalname" activationConditionRef="MyCondition">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML2String" name="UDC_IDENTIFIER" />
</AttributeDefinition>

<AttributeDefinition xsi:type="Simple" id="UDC_IDENTIFIER" sourceAttributeID="edupersonprincipalname">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML2String" name="https://it.marist.edu/attributes/UDC_IDENTIFIER" encodeType="false"/>
</AttributeDefinition>



Joseph Fischetti 
Linux System Administrator 
Marist College

More information about the users mailing list