Upgrading IPRangePredicate and predicate logic to idp 4.0.0

[Redman, Chad]

Our idp 3.4.6 configuration had a condition on the shibboleth.SessionManager, which enforced consistent address checks for a range *outside of* a set of CIDR blocks. In 3.4.6, the configuration was

idp.properties:
idp.session.consistentAddressCondition = custom.CheckAddressForNonLocalOnly

global.xml
    <bean id="custom.CheckAddressForNonLocalOnly" parent="shibboleth.Conditions.NOT">
        <constructor-arg ref="custom.WhitelistIPCheck" />
    </bean>
    <bean id="custom.WhitelistIPCheck"
        class="org.opensaml.profile.logic.IPRangePredicate"
        p:httpServletRequest-ref="shibboleth.HttpServletRequest"
    >
        <property name="ranges">
            <list>
                <bean class="net.shibboleth.utilities.java.support.net.IPRange"  factory-method="parseCIDRBlock" c:cidrBlock="..."/>
                ...
            </list>
         </property>
    </bean>


In idp 4.0.0, the consistentAddressCondition property in the shibboleth.SessionManager bean now uses a BiPredicate instead of a Predicate. For the IP check itself, it appears I need to change the class from org.opensaml.profile.logic.IPRangePredicate to net.shibboleth.idp.session.logic.IPRangeBiPredicate. However, trying to invert that result with a shibboleth.Conditions.NOT predicate no longer works, as there is no conversion between Predicate and BiPredicate.

Is there a better way of configuring this so that there is no Predicate/BiPredicate mismatch?

Thanks,
Chad

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200324/dc95e899/attachment.html>