Resolving attributes from a SAML proxy

Wessel, Keith kwessel at illinois.edu
Fri Oct 8 19:22:24 UTC 2021 

If I debugged this correctly:

         if (input.getSubcontext("net.shibboleth.idp.profile.context.RelyingPartyContext") == null) {
                    logger.debug("Relying party context not found");
                }
                else {
                    logger.debug("Relying party context found");
                }

                if (input.getSubcontext("net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext") == null) {
                    logger.debug("Attribute resolution context not found");
                }
                else {
                    logger.debug("Attribute resolution context found");
                }

...then we're missing the attribute resolution context:

2021-10-08 14:14:13,167 - DEBUG [mfa_claim_to_acr:8] - Relying party context found
2021-10-08 14:14:13,176 - DEBUG [mfa_claim_to_acr:12] - Attribute resolution context not found

Is that debugging code correct?

If so, I should be able to use similar code to do attribute resolution like I'm using in my MFA function to get one, right?

                rpid = input.getSubcontext("net.shibboleth.idp.profile.context.RelyingPartyContext").relyingPartyId;

                resCtx = input.getSubcontext("net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext", true);
                resCtx.setPrincipal(custom["usernameLookup"].apply(input));
                resCtx.setAttributeRecipientID(rpid);
                resCtx.getRequestedIdPAttributeNames().add("adfsProxyAuthnMethod");
                resCtx.resolveAttributes(custom["attributeResolver"]);

Is that what I need to do? Or is there a simpler way?

Keith

-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Friday, October 8, 2021 2:03 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Resolving attributes from a SAML proxy

On 10/8/21, 2:59 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:

>    Can you at least tell me if the attribute context and the relying party context should be in the profile request
> context when its assigned to the input passed into my authnContextTranslationStrategyEX function?

They should be if I'm reading the code correctly but only if it actually managed to decode anything, which should be logged.

-- Scott


-- 
For Consortium Member technical support, see https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!DZ3fjg!vCYr6fklBq1K4rLGNst5NfevYrTwD5Y92hPx8jGcYOV-vIevtqpBmWmqYgsyKXT3Ww$ 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list