AttributeDefinition multivalued to single value attribute?

Baron Fujimoto baron at hawaii.edu
Fri Jun 8 17:04:41 EDT 2018 

Hi Stephen,

I need to release a hasfoo-enabled attribute to the SP regardless, so I
still need to create this for them rather than have them try to derive it
from the underlying set of someAttr themselves.

Re the attribute release policy, if I put all of the condition in a
<PolicyRequirementRule>, it will apply to all attributes that match the
policy, won't it? Wouldn't that mean I'd have to actually have to have
two PolicyRequirementRules for this requester? The first would
unconditionally release "hasFoo" attribute (for a the matching requester),
and the second to conditionally release the other allowed attributes to
that requester based on the hasFoo value?

The documentation at
<https://wiki.shibboleth.net/confluence/display/IDP30/ValueConfiguration>
suggests it's possible in in <PermitValueRule> with a compound matcher
example (marked as deprecated). e.g:

<AttributeRule attributeID="hasFooConditionalAttr">
   <PermitValueRule xsi:type="Value" value="true" ignoreCase="true" attributeID="hasFoo"/>
</AttributeRule>

This appears to work, but it's not clear how you would do this in a non-deprecated manner.

On Thu, Jun 07, 2018 at 10:27:19AM +0000, Losen, Stephen C. (scl) wrote:
>Hi Baron,
>
>You can test "someAttr" directly in the attribute filter, no need to convert it to "hasfoo-enabled".
>
><PolicyRequirementRule xsi:type="Value"
>  AttributeID="someAttr" value="foo" />
>
>This is true if any value of someAttr is "foo".
>
>You can negate like this
>
><PolicyRequirementRule xsi:type="NOT">
>  <Rule xsi:type="Value" AttributeID="someAttr" value="foo">
></PolicyRequirementRule>
>
>This is true if none of the values of someAttr is "foo"
>
>And you can build an arbitrarily complex rule by combining rules with xsi:type="AND" and/or xsi:type="OR"
>
>So you might have a PolicyRequirementRule where the Requester has a particular entityID AND an attribute has a particular value.
>
>https://wiki.shibboleth.net/confluence/display/IDP30/AttributeFilterPolicyConfiguration
>
>
>Stephen C. Losen
>ITS - Systems and Storage
>University of Virginia
>scl at virginia.edu    434-924-0640
>
>
>-----Original Message-----
>From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Baron Fujimoto
>Sent: Wednesday, June 06, 2018 10:56 PM
>To: Shib Users <users at shibboleth.net>
>Subject: AttributeDefinition multivalued to single value attribute?
>
>Is there a recommended way to create an AttributeDefinition in the IdP's
>attribute-resolver.xml that will map a multivalued source attribute to a
>new single valued attribute?
>
>For example, if I have the a multivalued source attribute, "someAttr" with
>values as follows:
>
>someAttr: foo
>someAttr: bar
>someAttr: baz
>
>And I would like to define a new attribute, "hasFoo" which has value either
>"true" or "false" depending on the value of someAttr.
>
>If I do something like this
>
><resolver:AttributeDefinition xsi:type="ad:Mapped"
>        id="hasFoo-enabled"
>        sourceAttributeID="someAttr">
>
>    [...]
>
>    <!-- if someAttr is not "foo" return false -->
>    <ad:DefaultValue>false</ad:DefaultValue>
>
>    <!-- map "foo" to "true" -->
>    <ad:ValueMap>
>        <ad:ReturnValue>true</ad:ReturnValue>
>        <ad:SourceValue ignoreCase="true">foo</ad:SourceValue>
>    </ad:ValueMap>
></resolver:AttributeDefinition>
>
>I wind up with a multivalued set of hasFoo like
>
>hasFoo: true
>hasFoo: false
>hasFoo: false
>
>But the result I really want is just a single hasFoo with value "true" if
>there was a someAttr with value "foo", else hasFoo should be "false".
>
>The broader context for this is that I would like to return the single
>valued "hasFoo" in an AttributeFilterPolicy, and conditionally release
>other attributes based on the value of hasFoo. Maybe there's a better
>way to tackle this broader goal?
>
>-- 
>Baron Fujimoto <baron at hawaii.edu> :: UH Information Technology Services
>minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
>-- 
>For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
>To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>-- 
>For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
>To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

-- 
Baron Fujimoto <baron at hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

More information about the users mailing list