Script the value of the discovery url for SAML auth flow? (discovery-config.xml)

Cantor, Scott cantor.2 at
Wed Jul 29 17:45:49 UTC 2020

On 7/29/20, 12:49 PM, "users on behalf of Jeremy A Scott" <users-bounces at on behalf of jeremy.scott at> wrote:

>    Is there a better way for me to change the discovery URL for SAML authn based on the relying party?

Use shibboleth.ContextFunctions.Scripted

(note the plural)

> (Something in relying-party.xml or, even better, metadata?)

You can certainly use metadata, but you have to be able to dig into the API and get used to accessing entity attributes. The conditions are all predefined to know how to access those, but using them in functions requires actually digging them out.

However, you can repurpose the Java code defined for deriving properties in relying-party.xml and use them for this purpose by hacking them a bit to access property names using a different URL prefix than the ones we use for those lookups in our namespace.

I would have to go dig out the example I came up with for somebody else if you wanted to do it, but the classes that do all of that are wired up inside relying-party-mddriven.xml in the system tree. There's an aliases property where it takes in "alternate" URL prefixes for the tag names to go search for.

The MDDriven lookup function classes are all API, so using them in other places is "safe".

-- Scott

More information about the users mailing list