Using a different SP entity ID with the IdP SAML authn flow
Wessel, Keith
kwessel at illinois.edu
Wed Sep 15 22:32:21 UTC 2021
Alright, I'm close, but something isn't falling into place here. Using what I sent earlier, I get:
2021-09-15 17:22:26,765 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught runtime exception - [session=7BD8ED999335A92D757AC426605CA21C] [ip=172.16.95.162] java.lang.RuntimeException: javax.script.ScriptException: ReferenceError: "RequestedPrincipalContext" is not defined in <eval> at line number 2
at net.shibboleth.utilities.java.support.scripting.AbstractScriptEvaluator.evaluate(AbstractScriptEvaluator.java:193)
Caused by: javax.script.ScriptException: ReferenceError: "RequestedPrincipalContext" is not defined in <eval> at line number 2
at jdk.scripting.nashorn/jdk.nashorn.api.scripting.NashornScriptEngine.throwAsScriptException(NashornScriptEngine.java:477)
Caused by: jdk.nashorn.internal.runtime.ECMAException: ReferenceError: "RequestedPrincipalContext" is not defined
at jdk.scripting.nashorn/jdk.nashorn.internal.runtime.ECMAErrors.error(ECMAErrors.java:57)
The bean in global.xml looks like this:
<bean id="proxySPEntityIDStrategy" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript">
<constructor-arg>
<value>
<![CDATA[
var spEntityID = "%{idp.entityID}";
var requestedPrincipals = input.getParent().getSubcontext(RequestedPrincipalContext.class).getRequestedPrincipals();
for (i=0; I<requestedPrincipals.length; i++) {
if (requestedPrincipals[i].getName() == "https://refeds.org/profile/mfa") {
spEntityID = "%{idp.entityID}/mfa";
}
else if (requestedPrincipals[i].getName() == "urn:oasis:names:tc:SAML:2.0:ac:classes:Password") {
spEntityID = "%{idp.entityID}/password";
}
}
spEntityID;
]]>
</value>
</constructor-arg>
</bean>
Do I need to inject some additional objects into this bean, or is everything I need defined in the input? And more importantly, why doesn't the IdP claim to know what I'm talking about when I as for RequestedPrincipalContext.class?
Keith
-----Original Message-----
From: Wessel, Keith
Sent: Wednesday, September 15, 2021 12:25 PM
To: Shib Users <users at shibboleth.net>
Subject: RE: Using a different SP entity ID with the IdP SAML authn flow
Ah, I get it. I didn't think about returning nothing. Yes, that makes sense. I assume if I return nothing, the IdP will just fall back on using its own entity ID.?
Keith
-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Wednesday, September 15, 2021 11:54 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Using a different SP entity ID with the IdP SAML authn flow
On 9/15/21, 12:45 PM, "users on behalf of Wessel, Keith" <users-bounces at shibboleth.net on behalf of kwessel at illinois.edu> wrote:
> If I did want to put if statements in for the specific authn contexts I want to support and have any other non
>-null values result in an error, what method would I call to set the error?
I doubt it would be wise to try to do that, all you can do here is return something or not, and if you throw it's not going to be graceful. I'm just saying you probably want to leave it returning nothing so it falls back to the usual value if something unusual happens.
-- Scott
--
For Consortium Member technical support, see https://urldefense.com/v3/__https://shibboleth.atlassian.net/wiki/x/ZYEpPw__;!!DZ3fjg!u2JvRx5y83x9ARlOMS7GmkAwHpOPnoFMmusxllrKGjfX76gAUGaubCtg6MgO_UTK6g$
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list