Resolving $resolutionContext in LDAP Filter with MFA second factor check

Herron, Joel D herronj at uww.edu
Wed Dec 23 22:45:36 UTC 2020 

I've inherited the system so I can't say our velocity settings are stock as we do load  extra velocity-tools  

So potentially I could create an attribute in the resolver (via scripted attribute) that would populate the RPID and then I could pass it into the DC filter when I resolve the attribute I'm actually after in the MFA flow just as I'm doing with the users DN? If I'm understanding correctly.


Attribute I'm after
<AttributeDefinition xsi:type="Simple" id="loginFlowMFA">
        <InputDataConnector ref="loginFlowLDAP02" attributeNames="uww-group-shib-assurance" />
</AttributeDefinition>

Current DC
<DataConnector id="loginFlowLDAP02" xsi:type="LDAPDirectory"
        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
        baseDN="%{idp.attribute.resolver.LDAP.baseGroupDN}" 
        principal="%{idp.attribute.resolver.LDAP.bindDN}"
        principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
        lowercaseAttributeNames="true">
        <InputAttributeDefinition ref="flowUserDN"/>
        <FilterTemplate>
            <![CDATA[
                (&(objectclass=groupOfNames)(member=$flowUserDN.get(0))(uww-group-shib-entityid=$resolutionContext.getAttributeRecipientID()))
            ]]>
        </FilterTemplate>
        <LDAPProperty name="java.naming.ldap.derefAliases" value="never"/>
    </DataConnector>



--Joel



     

On 12/23/20, 7:48 AM, "users on behalf of Cantor, Scott" <users-bounces at shibboleth.net on behalf of cantor.2 at osu.edu> wrote:

    *EXTERNAL EMAIL*

    I don't see how that's possible, $resolutionContext is always populated. Even if the specific property were null, it shouldn't mis-evaluate the expression but unless you actually populate the field when you create the context yourself in the MFA flow, it's not going to be populated anyway. It's possible an empty field doesn't get the expression replaced but that's not my recollection of what it does.

    The fact that it leaves the variable there is a result of a Velocity setting and the setting can be changed in V4 to a strict mode that throws if the expression can't evaluate.

    -- Scott


    -- 
    For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
    To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list