replace method in AttributeDefinition "ScriptedAttribute" getValues()

Jehan PROCACCIA jehan.procaccia at tem-tsp.eu
Tue Jan 26 10:54:24 UTC 2021


Thanks Nate, your advice to use a "Mapped AttributeDefinition with regular expressions" was good 
so I rewrote my Definition toward a mapped attribute and it seems to work fine this way : 

<AttributeDefinition id="mail" xsi:type="Mapped"> 
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" /> 
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" /> 
<InputDataConnector ref="myLDAP" attributeNames="mail" /> 
<DefaultValue passThru="true"/> 
<ValueMap> 
<ReturnValue>$1@ newDom.fr </ReturnValue> 
<SourceValue>(.+)@ initialDom.fr </SourceValue> 
</ValueMap> 
<ValueMap> 
<ReturnValue>$1@ newDom.fr </ReturnValue> 
<SourceValue>(.+)@ OtherinitialDom.fr </SourceValue> 
</ValueMap> 
</AttributeDefinition> 

Associated logs when using this mapped attribute : 

2021-01-26 11:00:21,110 - - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:431] - Attribute Resolver 'ShibbolethAttributeResolver': Resolving dependencies for 'mail' 
2021-01-26 11:00:21,111 - - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:440] - Attribute Resolver 'ShibbolethAttributeResolver': Finished resolving dependencies for 'mail' 
2021-01-26 11:00:21,111 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.MappedAttributeDefinition:204] - Attribute Definition 'mail': Attempting to map the following values: [StringAttributeValue{value=teststud at initialDom.fr}] 
2021-01-26 11:00:21,112 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.MappedAttributeDefinition:163] - Attribute Definition mail: mapping dependency attribute value teststud@ initialDom.fr 
2021-01-26 11:00:21,112 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:113] - Attempting to map attribute value 'teststud at initialDom.fr' 
2021-01-26 11:00:21,113 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:129] - Performing regular expression based comparison 
2021-01-26 11:00:21,113 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:134] - Attribute value 'teststud at initialDom.fr' matches regular expression, will be mapped to 'teststud at newDom.fr' 
2021-01-26 11:00:21,113 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:113] - Attempting to map attribute value 'teststud at initialDom.fr' 
2021-01-26 11:00:21,114 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:129] - Performing regular expression based comparison 
2021-01-26 11:00:21,114 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:143] - Value teststud at initialDom.fr yielded a null value 
2021-01-26 11:00:21,114 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.MappedAttributeDefinition:185] - Attribute Definition mail: mapped dependency attribute value teststud at initialDom.fr to the values [StringAttributeValue{value=teststud at newDom.fr}] 
2021-01-26 11:00:21,115 - - DEBUG [net.shibboleth.idp.attribute.resolver.AbstractAttributeDefinition:139] - Attribute Definition 'mail': produced an attribute with the following values [StringAttributeValue{value=teststud at newDom.fr}] 
2021-01-26 11:00:21,115 - - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:335] - Attribute Resolver 'ShibbolethAttributeResolver': Attribute definition 'mail' produced an attribute with 1 values 

Regards 


De: "Nate Klingenstein" <ndk at signet.id> 
À: "users" <users at shibboleth.net>, "users" <users at shibboleth.net> 
Envoyé: Lundi 25 Janvier 2021 23:22:11 
Objet: RE: replace method in AttributeDefinition "ScriptedAttribute" getValues() 

Jehan, 

Is there a reason you wouldn't just use a Mapped AttributeDefinition with regular expressions? 

Anyway, I'm not aware of a way to change or remove attribute values in the ScriptedAttribute definition. I don't see a way in the quick read of the code. 

https://git.shibboleth.net/view/?p=java-identity-provider.git;a=blob;f=idp-attribute-resolver-impl/src/main/java/net/shibboleth/idp/attribute/resolver/ad/impl/ScriptedIdPAttributeImpl.java 

If you need a ScriptedAttribute for a specific reason, you could easily remove values in the attribute filter by a value match, or just use a new name for the attribute that you're adding the corrected value to, which will start as a null set. 

Hope this is right, 
Nate. 
-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210126/303839be/attachment.htm>


More information about the users mailing list