Resolving $resolutionContext in LDAP Filter with MFA second factor check

Herron, Joel D herronj at
Mon Dec 21 21:27:52 UTC 2020

I’m attempting to convert logic from our current external MFA provider to the standard MFA flow with Duo. I’m hitting a roadblock with attributes not resolving that use a DC to filter and return results. Currently we don’t force MFA for every application just those deemed necessary. To facilitate this we have LDAP groups and an attribute on the group contains the Entity ID(s) of that application. In the DC we filter on that attribute and then populate an attribute with the result.


The issue I’m having is that $resolutionContext doesn’t get resolved and forces a LDAP error. I assume I just don’t have a proper context as I’ve tried hardcoding a known EntityID in and it works as expected. Where do I need to be looking to inject the proper context to get the relying party ID into the DC filter?

The error I get:

Caused by: com.unboundid.ldap.sdk.LDAPSearchException: Unable to parse string '(&(objectclass=groupOfNames)(member=USERDN)(uww-group-shib-entityid=$resolutionContext.getAttributeRecipientID()))' as an LDAP filter because it contains an unexpected opening parenthesis at position 149.

I’m on 3.4.7 w/java8 on this test IDP.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list