Force a fixe value for a Mapped AttributeDefinition (DocuSign AccountID)

Jehan PROCACCIA jehan.procaccia at tem-tsp.eu
Thu Jan 28 19:47:34 UTC 2021


indeed 

[ https://wiki.shibboleth.net/confluence/display/IDP4/StaticDataConnector?src=contextnavpagetreemode | StaticDataConnector ] 

is the way to go, I missed it in the doc ... 

thanks . 



De: "Andrew Jason Morgan" <morgan at oregonstate.edu> 
À: "users" <users at shibboleth.net> 
Envoyé: Jeudi 28 Janvier 2021 19:52:36 
Objet: Re: Force a fixe value for a Mapped AttributeDefinition (DocuSign AccountID) 

Jehan, 

Use a static DataConnector to generate a fixed attribute value: 

[ https://wiki.shibboleth.net/confluence/display/IDP4/StaticDataConnector | https://wiki.shibboleth.net/confluence/display/IDP4/StaticDataConnector ] 

Then release that attribute to Docusign. 

Thanks, 
Andy 


From: users <users-bounces at shibboleth.net> on behalf of Jehan PROCACCIA <jehan.procaccia at tem-tsp.eu> 
Sent: Thursday, January 28, 2021 10:32 AM 
To: users <users at shibboleth.net> 
Subject: Force a fixe value for a Mapped AttributeDefinition (DocuSign AccountID) 


[This email originated from outside of OSU. Use caution with links and attachments.] 
Hello 

Continuing in my AttributeDefinitions for our specific SP Vendor (DocuSign, I changed the title from ScriptedAttribute to Mapped regarding previous reponses/Advices, cf thread below) , 
Now I need to map a fixe accountID that must be unique for all users . So I wrote an attribute Definition to Map any values [ (.+) ] of employeeNumber to a fixe value (ai4d...4224 , docusign accountID) like this ; 

<AttributeDefinition id="employeeNumber" xsi:type="Mapped"> 
<InputDataConnector ref="myLDAP" attributeNames="employeeNumber" /> 
<DefaultValue passThru="false"/> 
<ValueMap> 
<ReturnValue>ai4dc9cfa7-dd39-aad1-884c-2f9b17574224</ReturnValue> 
<SourceValue caseSensitive="false">(.+)</SourceValue> 
</ValueMap> 
</AttributeDefinition> 

This should work fine, unless there's no employeeNumber value at the source (Ldap) 
How can I force that fixe ReturnValue even when the source value (which I don't care) is empty . 

Thanks . 


De: "Jehan PROCACCIA" <jehan.procaccia at tem-tsp.eu> 
À: "users" <users at shibboleth.net> 
Envoyé: Mardi 26 Janvier 2021 11:54:24 
Objet: Re: replace method in AttributeDefinition "ScriptedAttribute" getValues() 

Thanks Nate, your advice to use a "Mapped AttributeDefinition with regular expressions" was good 
so I rewrote my Definition toward a mapped attribute and it seems to work fine this way : 

<AttributeDefinition id="mail" xsi:type="Mapped"> 
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" /> 
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" /> 
<InputDataConnector ref="myLDAP" attributeNames="mail" /> 
<DefaultValue passThru="true"/> 
<ValueMap> 
<ReturnValue>$1@ newDom.fr </ReturnValue> 
<SourceValue>(.+)@ initialDom.fr </SourceValue> 
</ValueMap> 
<ValueMap> 
<ReturnValue>$1@ newDom.fr </ReturnValue> 
<SourceValue>(.+)@ OtherinitialDom.fr </SourceValue> 
</ValueMap> 
</AttributeDefinition> 

Associated logs when using this mapped attribute : 

2021-01-26 11:00:21,110 - - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:431] - Attribute Resolver 'ShibbolethAttributeResolver': Resolving dependencies for 'mail' 
2021-01-26 11:00:21,111 - - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:440] - Attribute Resolver 'ShibbolethAttributeResolver': Finished resolving dependencies for 'mail' 
2021-01-26 11:00:21,111 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.MappedAttributeDefinition:204] - Attribute Definition 'mail': Attempting to map the following values: [StringAttributeValue{value=teststud at initialDom.fr}] 
2021-01-26 11:00:21,112 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.MappedAttributeDefinition:163] - Attribute Definition mail: mapping dependency attribute value teststud@ initialDom.fr 
2021-01-26 11:00:21,112 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:113] - Attempting to map attribute value 'teststud at initialDom.fr' 
2021-01-26 11:00:21,113 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:129] - Performing regular expression based comparison 
2021-01-26 11:00:21,113 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:134] - Attribute value 'teststud at initialDom.fr' matches regular expression, will be mapped to 'teststud at newDom.fr' 
2021-01-26 11:00:21,113 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:113] - Attempting to map attribute value 'teststud at initialDom.fr' 
2021-01-26 11:00:21,114 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:129] - Performing regular expression based comparison 
2021-01-26 11:00:21,114 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:143] - Value teststud at initialDom.fr yielded a null value 
2021-01-26 11:00:21,114 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.MappedAttributeDefinition:185] - Attribute Definition mail: mapped dependency attribute value teststud at initialDom.fr to the values [StringAttributeValue{value=teststud at newDom.fr}] 
2021-01-26 11:00:21,115 - - DEBUG [net.shibboleth.idp.attribute.resolver.AbstractAttributeDefinition:139] - Attribute Definition 'mail': produced an attribute with the following values [StringAttributeValue{value=teststud at newDom.fr}] 
2021-01-26 11:00:21,115 - - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:335] - Attribute Resolver 'ShibbolethAttributeResolver': Attribute definition 'mail' produced an attribute with 1 values 

Regards 


De: "Nate Klingenstein" <ndk at signet.id> 
À: "users" <users at shibboleth.net>, "users" <users at shibboleth.net> 
Envoyé: Lundi 25 Janvier 2021 23:22:11 
Objet: RE: replace method in AttributeDefinition "ScriptedAttribute" getValues() 

Jehan, 

Is there a reason you wouldn't just use a Mapped AttributeDefinition with regular expressions? 

Anyway, I'm not aware of a way to change or remove attribute values in the ScriptedAttribute definition. I don't see a way in the quick read of the code. 

https://git.shibboleth.net/view/?p=java-identity-provider.git;a=blob;f=idp-attribute-resolver-impl/src/main/java/net/shibboleth/idp/attribute/resolver/ad/impl/ScriptedIdPAttributeImpl.java 

If you need a ScriptedAttribute for a specific reason, you could easily remove values in the attribute filter by a value match, or just use a new name for the attribute that you're adding the corrected value to, which will start as a null set. 

Hope this is right, 
Nate. 
-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net 

-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net 



De: "Jehan PROCACCIA" <jehan.procaccia at tem-tsp.eu> 
À: "users" <users at shibboleth.net> 
Envoyé: Mardi 26 Janvier 2021 11:54:24 
Objet: Re: replace method in AttributeDefinition "ScriptedAttribute" getValues() 

Thanks Nate, your advice to use a "Mapped AttributeDefinition with regular expressions" was good 
so I rewrote my Definition toward a mapped attribute and it seems to work fine this way : 

<AttributeDefinition id="mail" xsi:type="Mapped"> 
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:mail" /> 
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" /> 
<InputDataConnector ref="myLDAP" attributeNames="mail" /> 
<DefaultValue passThru="true"/> 
<ValueMap> 
<ReturnValue>$1@ newDom.fr </ReturnValue> 
<SourceValue>(.+)@ initialDom.fr </SourceValue> 
</ValueMap> 
<ValueMap> 
<ReturnValue>$1@ newDom.fr </ReturnValue> 
<SourceValue>(.+)@ OtherinitialDom.fr </SourceValue> 
</ValueMap> 
</AttributeDefinition> 

Associated logs when using this mapped attribute : 

2021-01-26 11:00:21,110 - - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:431] - Attribute Resolver 'ShibbolethAttributeResolver': Resolving dependencies for 'mail' 
2021-01-26 11:00:21,111 - - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:440] - Attribute Resolver 'ShibbolethAttributeResolver': Finished resolving dependencies for 'mail' 
2021-01-26 11:00:21,111 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.MappedAttributeDefinition:204] - Attribute Definition 'mail': Attempting to map the following values: [StringAttributeValue{value=teststud at initialDom.fr}] 
2021-01-26 11:00:21,112 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.MappedAttributeDefinition:163] - Attribute Definition mail: mapping dependency attribute value teststud@ initialDom.fr 
2021-01-26 11:00:21,112 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:113] - Attempting to map attribute value 'teststud at initialDom.fr' 
2021-01-26 11:00:21,113 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:129] - Performing regular expression based comparison 
2021-01-26 11:00:21,113 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:134] - Attribute value 'teststud at initialDom.fr' matches regular expression, will be mapped to 'teststud at newDom.fr' 
2021-01-26 11:00:21,113 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:113] - Attempting to map attribute value 'teststud at initialDom.fr' 
2021-01-26 11:00:21,114 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:129] - Performing regular expression based comparison 
2021-01-26 11:00:21,114 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.ValueMap:143] - Value teststud at initialDom.fr yielded a null value 
2021-01-26 11:00:21,114 - - DEBUG [net.shibboleth.idp.attribute.resolver.ad.mapped.impl.MappedAttributeDefinition:185] - Attribute Definition mail: mapped dependency attribute value teststud at initialDom.fr to the values [StringAttributeValue{value=teststud at newDom.fr}] 
2021-01-26 11:00:21,115 - - DEBUG [net.shibboleth.idp.attribute.resolver.AbstractAttributeDefinition:139] - Attribute Definition 'mail': produced an attribute with the following values [StringAttributeValue{value=teststud at newDom.fr}] 
2021-01-26 11:00:21,115 - - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:335] - Attribute Resolver 'ShibbolethAttributeResolver': Attribute definition 'mail' produced an attribute with 1 values 

Regards 


De: "Nate Klingenstein" <ndk at signet.id> 
À: "users" <users at shibboleth.net>, "users" <users at shibboleth.net> 
Envoyé: Lundi 25 Janvier 2021 23:22:11 
Objet: RE: replace method in AttributeDefinition "ScriptedAttribute" getValues() 

Jehan, 

Is there a reason you wouldn't just use a Mapped AttributeDefinition with regular expressions? 

Anyway, I'm not aware of a way to change or remove attribute values in the ScriptedAttribute definition. I don't see a way in the quick read of the code. 

https://git.shibboleth.net/view/?p=java-identity-provider.git;a=blob;f=idp-attribute-resolver-impl/src/main/java/net/shibboleth/idp/attribute/resolver/ad/impl/ScriptedIdPAttributeImpl.java 

If you need a ScriptedAttribute for a specific reason, you could easily remove values in the attribute filter by a value match, or just use a new name for the attribute that you're adding the corrected value to, which will start as a null set. 

Hope this is right, 
Nate. 
-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net 

-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net 


-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210128/99db5662/attachment.htm>


More information about the users mailing list