activationConditions using an attribute value

Marco Naimoli marco.naimoli at unipd.it
Wed Jul 11 11:53:37 EDT 2018 

Thank you Peter. My configuration is:

<!-- This was created just for testing purposes -->
     <DataConnector id="testStaticAttribute" xsi:type="Static">
         <Attribute id="attribute1">
             <Value>value1</Value>
         </Attribute>
     </DataConnector>

<AttributeDefinition id="myTest" xsi:type="Simple" 
sourceAttributeID="attribute1" activationConditionRef="isInternal">
     <Dependency ref="testStaticAttribute" />
     <AttributeEncoder xsi:type="SAML2String" 
name="https://my.static.attr"  friendlyName="mytest" />
</AttributeDefinition>

<!-- when a user has employeeType='external' then 
unipdEmployeeType="NO", otherwise unipdEmployeeType="OK" -->
<AttributeDefinition id="unipdEmployeeType" xsi:type="Mapped" 
sourceAttributeID="employeeType" dependencyOnly="true">
     <Dependency ref="openldap_activation" />
     <DefaultValue>OK</DefaultValue>
     <ValueMap>
         <ReturnValue>NO</ReturnValue>
         <SourceValue>external</SourceValue>
     </ValueMap>
</AttributeDefinition>

     <bean id="internalUser" 
class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate" 
p:useUnfilteredAttributes="true">
         <property name="attributeValueMap">
             <map>
                 <entry key="unipdEmployeeType">
                     <list>
                         <value>OK</value>
                     </list>
                 </entry>
             </map>
         </property>
     </bean>

<!-- I'm using the "OR" condition because my plans are to add other SPs 
to the list -->
     <bean id="permitRP" parent="shibboleth.Conditions.OR">
         <constructor-arg>
             <list>
                 <bean parent="shibboleth.Conditions.RelyingPartyId" 
c:_0="https://sp.example.net/shibboleth" />
             </list>
         </constructor-arg>
     </bean>

<!-- the condition is: when the unipdEmployeeType="OK" OR the SP is one 
of the list, then proceed -->
     <bean id="isInternal" parent="shibboleth.Conditions.OR">
         <constructor-arg>
             <list>
                 <bean parent="permitRP"/>
                 <bean parent="internalUser"/>
             </list>
         </constructor-arg>
     </bean>

Everything works fine when the SP is https://sp.example.net/shibboleth 
(so one of the two conditions are met), I see the correct value of myTest
using aacli; otherwise it doesn't work, myTest has no value and in 
idp-process.log I see:

Resolver plugin 'myTest': activation criteria not met, nothing to do

Thank you
Marco

Il 11/07/2018 17:00, Peter Schober ha scritto:
> * Marco Naimoli <marco.naimoli at unipd.it> [2018-07-11 16:50]:
>> Before going on with questions, I'd like to know if what I'm trying
>> to do is possible or not
> Yes (as far as that can besaid based on the details you have provided
> so far).
>
> -peter

More information about the users mailing list