Activation Conditions and AbstractAttributePredicate warning after IDPv4 Upgrade

Domingues, Em michael-domingues at uiowa.edu
Tue Dec 8 20:43:08 UTC 2020 

Greetings All -

Since upgrading to IDP 4.0.1, I've noticed that on startup, some (but not all) of our activation conditions are leading to WARN entries in our logs during IDP startup:

net.shibboleth.idp.profile.logic.AbstractAttributePredicate:105 No AttributeContext located for evaluation

I'm seeing one WARN entry for each activationConditionRef associated with an affected AttributeDefinition in attribute-resolver.xml, but oddly, given structurally identical attribute definitions (same type, data connector, source attribute, and encoders) only certain definitions seem to be causing issues.

One of our predicates is defined as follows in global.xml:

<bean id="IsServiceAccount" class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate" p:useUnfilteredAttributes="true">
    <property name="attributeValueMap">
    <map>
        <entry key="isServiceAccount">
        <list>
            <value>true</value>
        </list>
        </entry>
    </map>
    </property>
</bean>

The following attribute definition (technically, its associated encoders) makes use of the predicate as an activation condition. This one doesn't seem to be associated with the log entries:

<AttributeDefinition xsi:type="Simple" id="ad_displayName_givenName" >
    <InputDataConnector ref="myADLDAP" attributeNames="displayname"/>
    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:givenName"
                        activationConditionRef="IsServiceAccount"/>
    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.42" friendlyName="givenName"
                        activationConditionRef="IsServiceAccount"/>
</AttributeDefinition>

By contrast, this attribute definition is associated with the log entries. When I remove the activation condition references (and leave the ones associated with the above definition in place) the warnings disappear:
<AttributeDefinition xsi:type="Simple" id="ad_mail">
    <InputDataConnector ref="myADLDAP" attributeNames="mail"/>
    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail"
        activationConditionRef="IsServiceAccount"/>
    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail"
        activationConditionRef="IsServiceAccount"/>
</AttributeDefinition>

I've read through the docs and poked around the relevant IDP source but am currently at a loss trying to explain why this would happen. Is there something I'm missing here?

Em Domingues
Senior Application Developer, Identity and Access Management
University of Iowa


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201208/ee086d61/attachment.htm>

More information about the users mailing list