Getting the Destination URL for a scripted attribute?

Bryan K. Walton bwalton+1573850983 at
Fri Nov 15 16:48:03 EST 2019

We have a scripted attribute, that does a few things to determine
whether a user needs second factor authentication.  It is based upon the
code example supplied by Andrew Morgan, here:

Here is his code:


     <AttributeDefinition id="needs_duo" xsi:type="ScriptedAttribute">
         <Dependency ref="ONIDLDAP" />
             logger = Java.type("org.slf4j.LoggerFactory").getLogger("net.shibboleth.idp.attribute.resolver.needs_duo");
             duoflag = "0";
             for (i=0; i < ismemberof.getValues().size(); i++) {
                 tmp = ismemberof.getValues().get(i);
                 if (tmp.toLowerCase().equals("cn=duo-opt-in,ou=duo,ou=app,ou=is,ou=org,ou=osu,ou=grouper,ou=groups,")) {
                     logger.debug("User is opted-in to Duo");
                     duoflag = "1";
             rpid = profileContext.getSubcontext("net.shibboleth.idp.profile.context.RelyingPartyContext").getRelyingPartyId();
             logger.debug("rpid=" + rpid);
            if (rpid.equals("")) {
                duoflag = "1";
            if (rpid.equals("")) {
                duoflag = "1";
             logger.debug("needs_duo final value: " + needs_duo.getValues().get(0));


This code works well for us, setting the duoflag for certain users and/or

We also have a case where we have one web site that we want to exempt from
second factor auth, even though it is on an SP where the other web sites
do require MFA.

Therefore, I'd like to find a way to add into Andy's script a way to set
duoflag = "0" depending on the authenticated users's destination URL. 

Can somebody suggest how this code should be modified for that?  I tried
relayState, but it seems that the SP isn't passing that to the IdP.  I
also tried HttpServletRequest with the host header.  But that seemed to
supply the IdP host, rather than the user's original URL.


More information about the users mailing list