Attribute Lookup in Extension

[Christopher Bongaarts]

One thing I found helpful in understanding this was to examine the 
existing (system) flows that call a ResolveAttributes action, and 
compare how different flows invoke it in different ways at different times.

For example, comparing the authn-flow vs. the SAML sso-abstract-flow 
(the former being the quick lookup of a select few attributes needed 
during the authentication process, while the latter is pulling in 
"everything" to generate the attributes for the SAML response).

For this case, the "attributesToResolve" property on the 
ResolveAttributes might be appropriate (example in 
system/flows/authn/authn-flow.xml and authn-beans.xml).


On 9/16/2018 5:36 PM, Cantor, Scott wrote:
>> Is it possible to extract the value of the 'memberOf' attribute if the
>> DataConnector to LDAP, and the AttributeDefinition for 'memberOf' are in
>> attribute-resolver.xml? i.e. I don't have to build a separate LDAP connection
>> and 'memberOf' ldap filter lookup in the extension.
> That depends when/where/what you're doing. An interceptor (the post-login sort) has access to all the resolved attrbutes, it runs afterward. That's covered in the wiki.
>
>> If the above is available, are there any example code to refer to? The number of
>> moving parts for me to learn on writing an extension is large at this stage,
>> anything to grasp on will be a big help.
> The interceptors that already exist are the only examples and several of them are so small that it would be of no value to produce any example of any less complexity.
>
> The documentation that exists is exactly what exists, no more or less.
>
> https://wiki.shibboleth.net/confluence/display/IDP30/ProfileInterceptConfiguration
> https://wiki.shibboleth.net/confluence/display/IDP30/ProfileHandling
>   
> -- Scott
>

-- 
%%  Christopher A. Bongaarts   %%  cab at umn.edu          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%