Resolving $resolutionContext in LDAP Filter with MFA second factor check
Herron, Joel D
herronj at uww.edu
Wed Dec 23 22:45:36 UTC 2020
I've inherited the system so I can't say our velocity settings are stock as we do load extra velocity-tools
So potentially I could create an attribute in the resolver (via scripted attribute) that would populate the RPID and then I could pass it into the DC filter when I resolve the attribute I'm actually after in the MFA flow just as I'm doing with the users DN? If I'm understanding correctly.
Attribute I'm after
<AttributeDefinition xsi:type="Simple" id="loginFlowMFA">
<InputDataConnector ref="loginFlowLDAP02" attributeNames="uww-group-shib-assurance" />
<DataConnector id="loginFlowLDAP02" xsi:type="LDAPDirectory"
<LDAPProperty name="java.naming.ldap.derefAliases" value="never"/>
On 12/23/20, 7:48 AM, "users on behalf of Cantor, Scott" <users-bounces at shibboleth.net on behalf of cantor.2 at osu.edu> wrote:
I don't see how that's possible, $resolutionContext is always populated. Even if the specific property were null, it shouldn't mis-evaluate the expression but unless you actually populate the field when you create the context yourself in the MFA flow, it's not going to be populated anyway. It's possible an empty field doesn't get the expression replaced but that's not my recollection of what it does.
The fact that it leaves the variable there is a result of a Velocity setting and the setting can be changed in V4 to a strict mode that throws if the expression can't evaluate.
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users