Resolving $resolutionContext in LDAP Filter with MFA second factor check

Herron, Joel D herronj at
Wed Dec 23 22:45:36 UTC 2020

I've inherited the system so I can't say our velocity settings are stock as we do load  extra velocity-tools  

So potentially I could create an attribute in the resolver (via scripted attribute) that would populate the RPID and then I could pass it into the DC filter when I resolve the attribute I'm actually after in the MFA flow just as I'm doing with the users DN? If I'm understanding correctly.

Attribute I'm after
<AttributeDefinition xsi:type="Simple" id="loginFlowMFA">
        <InputDataConnector ref="loginFlowLDAP02" attributeNames="uww-group-shib-assurance" />

Current DC
<DataConnector id="loginFlowLDAP02" xsi:type="LDAPDirectory"
        <InputAttributeDefinition ref="flowUserDN"/>
        <LDAPProperty name="java.naming.ldap.derefAliases" value="never"/>



On 12/23/20, 7:48 AM, "users on behalf of Cantor, Scott" <users-bounces at on behalf of cantor.2 at> wrote:


    I don't see how that's possible, $resolutionContext is always populated. Even if the specific property were null, it shouldn't mis-evaluate the expression but unless you actually populate the field when you create the context yourself in the MFA flow, it's not going to be populated anyway. It's possible an empty field doesn't get the expression replaced but that's not my recollection of what it does.

    The fact that it leaves the variable there is a result of a Velocity setting and the setting can be changed in V4 to a strict mode that throws if the expression can't evaluate.

    -- Scott

    For Consortium Member technical support, see
    To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list