Resolving $resolutionContext in LDAP Filter with MFA second factor check

Herron, Joel D herronj at
Fri Jan 15 20:16:21 UTC 2021

Finally got back to this and was able to fix my the lack of setting the field in the new context, thanks Scott for pointing me in the right direction.


On 12/23/20, 4:58 PM, "users on behalf of Cantor, Scott" <users-bounces at on behalf of cantor.2 at> wrote:


    On 12/23/20, 5:45 PM, "users on behalf of Herron, Joel D" <users-bounces at on behalf of herronj at> wrote:

    >    I've inherited the system so I can't say our velocity settings are stock as we do load  extra velocity-tools  

    They're stock because they're hardcoded to have the option set that emits any variable that doesn't exist as literal text.

    >    So potentially I could create an attribute in the resolver (via scripted attribute) that would populate the RPID and then I
    > could pass it into the DC filter when I resolve the attribute I'm actually after in the MFA flow just as I'm doing with the
    > users DN? If I'm understanding correctly.

    Yes, but that's not going to change anything.

    I suspect I'm mistaken and that if $resolutionContext.getAttributeRecipientID() is null, then the whole variable expression is emitted. In which case the bug is yours, you didn't set the field when you invoked the resolver and created the context yourself in a script.

    -- Scott

    For Consortium Member technical support, see
    To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list