Need help with shibboleth.authn.RemoteUser.externalAuthnPathStrategy

Cantor, Scott cantor.2 at
Mon Feb 12 16:01:59 EST 2018

> OK, so I need to create a bean with
> id="shibboleth.authn.RemoteUser.externalAuthnPathStrategy" and I
> presume this bean needs to be a script of some sort that receives as input a
> "ProfileRequestContext". 

Doesn't have to be a script, but that's a generally easy way to get something working if the logic is simple. Anything very complex I would do in Java but it just depends what it is.

> Somehow the script must drill down into this to
> get the AuthenticationContext.  From scouring the wiki and IDP config files,
> looking for example code, I suspect that the script will do this:
> authCtx =
> input.getSubContext("net.shibboleth.idp.authn.context.AuthenticationContext");
> And then it probably needs to drill even deeper.

The request for something specific from an SP is ultimately translated into a RequestedPrincipalContext, which is underneath the AuthenticationContext in the tree, one layer deeper. So not really much beyond that in fact.

> Also I'm not clear on how to define the bean to be a script.  Something like
> this?

The parent bean you need is shibboleth.ContextFunctions.Scripted and the main example of that already in existence would be the rule function(s) in the various MFA examples and the default MFA login configuration, it includes functions that are exactly that type, Function<ProfileRequestContext,String>

The fact that it's used for a completely unrelated purposes doesn't really change what it looks like.

> And it looks like the input argument to the script is in a variable named
> "input" that is of type ProfileRequestContext.

It is, yes.

> My script will return "contextRelative:Authn/RemoteUser" under most
> circumstances and will return something else only if the SAML Auth Request
> specifies a particular AC value.

The result of a Javascript function is basically just the final expression, so normally you just declare a variable to hold the final result, adjust the value as you go, and make the final statement in the function that variable's name.

-- Scott

More information about the users mailing list