tag based activation conditions on attribute resolvers

Wed Jul 17 16:40:52 EDT 2019

I've got a scripted attribute definition to look up nested group membership
against our eDirectory backend.  I have to do the lookup against the group
object, which makes the lookup more expensive than I'd like, and we don't
want to run it for every service provider.

I'd like to control this attribute using a tag in the metadata, so added
this to the SP's metadata..
      <mdattr:EntityAttributes>
        <saml:Attribute Name="
https://its.umich.edu/identity/activationCondition/isMemberOf"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
          <saml:AttributeValue
xsi:type="xsd:boolean">true</saml:AttributeValue>
        </saml:Attribute>
      </mdattr:EntityAttributes>

I then defined an activation condition based on the "RelyingPartyByTag"
example at
https://wiki.shibboleth.net/confluence/display/IDP30/ActivationConditions#ActivationConditions-RelyingPartiesByTag

    <bean id="isMemberOf_Condition"
parent="shibboleth.Conditions.EntityDescriptor">
        <constructor-arg name="pred">
            <bean
class="org.opensaml.saml.common.profile.logic.EntityAttributesPredicate">
                <constructor-arg>
                    <list>
                        <bean
class="org.opensaml.saml.common.profile.logic.EntityAttributesPredicate.Candidate"
                            c:name="
https://its.umich.edu/identity/activationCondition/isMemberOf"
                            p:values="true" />
                    </list>
                </constructor-arg>
             </bean>
       </constructor-arg>
    </bean>

...and attached it to my attribute definition...
    <AttributeDefinition id="isMemberOfScripted"
xsi:type="ScriptedAttribute" language="nashorn"
activationConditionRef="isMemberOf_Condition">
        <AttributeEncoder xsi:type="SAML2String"
name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" friendlyName="isMemberOf"/>
        <AttributeEncoder xsi:type="oidcext:OIDCString" asArray="true"
name="edumember_ismemberof" />

<ScriptFile>/usr/local/mcomm/shibboleth-idp/script/isMemberOfScripted.js</ScriptFile>
    </AttributeDefinition>

The IDP loads, but the activation condition is not triggering..

2019-07-17 16:36:53,409 - DEBUG
[net.shibboleth.idp.attribute.resolver.AbstractResolverPlugin:183] -
x.x.x.x - Resolver plugin 'isMemberOfScripted': activation criteria not
met, nothing to do
2019-07-17 16:36:53,410 - DEBUG
[net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:337] -
x.x.x.x - Attribute Resolver 'ShibbolethAttributeResolver': Attribute
definition 'isMemberOfScripted' produced no attribute

The attributes with functional activation conditions are of
type shibboleth.Conditions.RelyingPartyId, but this one
is shibboleth.Conditions.EntityDescriptor.  I'm guessing there's additional
stuff that I need to add.

Any pointers?
Liam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190717/f401f23a/attachment.html>