Force a fixe value for a Mapped AttributeDefinition (DocuSign AccountID)
Jehan PROCACCIA
jehan.procaccia at tem-tsp.eu
Thu Jan 28 18:32:21 UTC 2021
Hello
Continuing in my AttributeDefinitions for our specific SP Vendor (DocuSign, I changed the title from ScriptedAttribute to Mapped regarding previous reponses/Advices, cf thread below) ,
Now I need to map a fixe accountID that must be unique for all users . So I wrote an attribute Definition to Map any values [ (.+) ] of employeeNumber to a fixe value (ai4d...4224 , docusign accountID) like this ;
<AttributeDefinition id="employeeNumber" xsi:type="Mapped">
<InputDataConnector ref="myLDAP" attributeNames="employeeNumber" />
<DefaultValue passThru="false"/>
<ValueMap>
<ReturnValue>ai4dc9cfa7-dd39-aad1-884c-2f9b17574224</ReturnValue>
<SourceValue caseSensitive="false">(.+)</SourceValue>
</ValueMap>
</AttributeDefinition>
This should work fine, unless there's no employeeNumber value at the source (Ldap)
How can I force that fixe ReturnValue even when the source value (which I don't care) is empty .
Thanks .
De: "Jehan PROCACCIA" <jehan.procaccia at tem-tsp.eu>
À: "users" <users at shibboleth.net>
Envoyé: Mardi 26 Janvier 2021 11:54:24
Objet: Re: replace method in AttributeDefinition "ScriptedAttribute" getValues()
Thanks Nate, your advice to use a "Mapped AttributeDefinition with regular expressions" was good
so I rewrote my Definition toward a mapped attribute and it seems to work fine this way :
<AttributeDefinition id="mail" xsi:type="Mapped">
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
<InputDataConnector ref="myLDAP" attributeNames="mail" />
<DefaultValue passThru="true"/>
<ValueMap>
<ReturnValue>$1@ newDom.fr </ReturnValue>
<SourceValue>(.+)@ initialDom.fr </SourceValue>
</ValueMap>
<ValueMap>
<ReturnValue>$1@ newDom.fr </ReturnValue>
<SourceValue>(.+)@ OtherinitialDom.fr </SourceValue>
</ValueMap>
</AttributeDefinition>
Associated logs when using this mapped attribute :
2021-01-26 11:00:21,110 - - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:431] - Attribute Resolver 'ShibbolethAttributeResolver': Resolving dependencies for 'mail'
2021-01-26 11:00:21,111 - - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:440] - Attribute Resolver 'ShibbolethAttributeResolver': Finished resolving dependencies for 'mail'
2021-01-26 11:00:21,111 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.MappedAttributeDefinition:204] - Attribute Definition 'mail': Attempting to map the following values: [StringAttributeValue{value=teststud at initialDom.fr}]
2021-01-26 11:00:21,112 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.MappedAttributeDefinition:163] - Attribute Definition mail: mapping dependency attribute value teststud@ initialDom.fr
2021-01-26 11:00:21,112 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:113] - Attempting to map attribute value 'teststud at initialDom.fr'
2021-01-26 11:00:21,113 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:129] - Performing regular expression based comparison
2021-01-26 11:00:21,113 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:134] - Attribute value 'teststud at initialDom.fr' matches regular expression, will be mapped to 'teststud at newDom.fr'
2021-01-26 11:00:21,113 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:113] - Attempting to map attribute value 'teststud at initialDom.fr'
2021-01-26 11:00:21,114 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:129] - Performing regular expression based comparison
2021-01-26 11:00:21,114 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:143] - Value teststud at initialDom.fr yielded a null value
2021-01-26 11:00:21,114 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.MappedAttributeDefinition:185] - Attribute Definition mail: mapped dependency attribute value teststud at initialDom.fr to the values [StringAttributeValue{value=teststud at newDom.fr}]
2021-01-26 11:00:21,115 - - DEBUG [net.shibboleth.idp.attribute.resolver.AbstractAttributeDefinition:139] - Attribute Definition 'mail': produced an attribute with the following values [StringAttributeValue{value=teststud at newDom.fr}]
2021-01-26 11:00:21,115 - - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:335] - Attribute Resolver 'ShibbolethAttributeResolver': Attribute definition 'mail' produced an attribute with 1 values
Regards
De: "Nate Klingenstein" <ndk at signet.id>
À: "users" <users at shibboleth.net>, "users" <users at shibboleth.net>
Envoyé: Lundi 25 Janvier 2021 23:22:11
Objet: RE: replace method in AttributeDefinition "ScriptedAttribute" getValues()
Jehan,
Is there a reason you wouldn't just use a Mapped AttributeDefinition with regular expressions?
Anyway, I'm not aware of a way to change or remove attribute values in the ScriptedAttribute definition. I don't see a way in the quick read of the code.
https://git.shibboleth.net/view/?p=java-identity-provider.git;a=blob;f=idp-attribute-resolver-impl/src/main/java/net/shibboleth/idp/attribute/resolver/ad/impl/ScriptedIdPAttributeImpl.java
If you need a ScriptedAttribute for a specific reason, you could easily remove values in the attribute filter by a value match, or just use a new name for the attribute that you're adding the corrected value to, which will start as a null set.
Hope this is right,
Nate.
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
De: "Jehan PROCACCIA" <jehan.procaccia at tem-tsp.eu>
À: "users" <users at shibboleth.net>
Envoyé: Mardi 26 Janvier 2021 11:54:24
Objet: Re: replace method in AttributeDefinition "ScriptedAttribute" getValues()
Thanks Nate, your advice to use a "Mapped AttributeDefinition with regular expressions" was good
so I rewrote my Definition toward a mapped attribute and it seems to work fine this way :
<AttributeDefinition id="mail" xsi:type="Mapped">
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
<InputDataConnector ref="myLDAP" attributeNames="mail" />
<DefaultValue passThru="true"/>
<ValueMap>
<ReturnValue>$1@ newDom.fr </ReturnValue>
<SourceValue>(.+)@ initialDom.fr </SourceValue>
</ValueMap>
<ValueMap>
<ReturnValue>$1@ newDom.fr </ReturnValue>
<SourceValue>(.+)@ OtherinitialDom.fr </SourceValue>
</ValueMap>
</AttributeDefinition>
Associated logs when using this mapped attribute :
2021-01-26 11:00:21,110 - - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:431] - Attribute Resolver 'ShibbolethAttributeResolver': Resolving dependencies for 'mail'
2021-01-26 11:00:21,111 - - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:440] - Attribute Resolver 'ShibbolethAttributeResolver': Finished resolving dependencies for 'mail'
2021-01-26 11:00:21,111 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.MappedAttributeDefinition:204] - Attribute Definition 'mail': Attempting to map the following values: [StringAttributeValue{value=teststud at initialDom.fr}]
2021-01-26 11:00:21,112 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.MappedAttributeDefinition:163] - Attribute Definition mail: mapping dependency attribute value teststud@ initialDom.fr
2021-01-26 11:00:21,112 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:113] - Attempting to map attribute value 'teststud at initialDom.fr'
2021-01-26 11:00:21,113 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:129] - Performing regular expression based comparison
2021-01-26 11:00:21,113 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:134] - Attribute value 'teststud at initialDom.fr' matches regular expression, will be mapped to 'teststud at newDom.fr'
2021-01-26 11:00:21,113 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:113] - Attempting to map attribute value 'teststud at initialDom.fr'
2021-01-26 11:00:21,114 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:129] - Performing regular expression based comparison
2021-01-26 11:00:21,114 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:143] - Value teststud at initialDom.fr yielded a null value
2021-01-26 11:00:21,114 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.MappedAttributeDefinition:185] - Attribute Definition mail: mapped dependency attribute value teststud at initialDom.fr to the values [StringAttributeValue{value=teststud at newDom.fr}]
2021-01-26 11:00:21,115 - - DEBUG [net.shibboleth.idp.attribute.resolver.AbstractAttributeDefinition:139] - Attribute Definition 'mail': produced an attribute with the following values [StringAttributeValue{value=teststud at newDom.fr}]
2021-01-26 11:00:21,115 - - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:335] - Attribute Resolver 'ShibbolethAttributeResolver': Attribute definition 'mail' produced an attribute with 1 values
Regards
De: "Nate Klingenstein" <ndk at signet.id>
À: "users" <users at shibboleth.net>, "users" <users at shibboleth.net>
Envoyé: Lundi 25 Janvier 2021 23:22:11
Objet: RE: replace method in AttributeDefinition "ScriptedAttribute" getValues()
Jehan,
Is there a reason you wouldn't just use a Mapped AttributeDefinition with regular expressions?
Anyway, I'm not aware of a way to change or remove attribute values in the ScriptedAttribute definition. I don't see a way in the quick read of the code.
https://git.shibboleth.net/view/?p=java-identity-provider.git;a=blob;f=idp-attribute-resolver-impl/src/main/java/net/shibboleth/idp/attribute/resolver/ad/impl/ScriptedIdPAttributeImpl.java
If you need a ScriptedAttribute for a specific reason, you could easily remove values in the attribute filter by a value match, or just use a new name for the attribute that you're adding the corrected value to, which will start as a null set.
Hope this is right,
Nate.
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210128/59252781/attachment.htm>
More information about the users
mailing list