DataConnector activationConditionRef cannot check on attribute

Kapetanakis Giannis bilias at edu.physics.uoc.gr
Mon Jan 10 14:47:09 UTC 2022 

Hi,

I'm trying to implement an activation condition for my 2nd DataConnector based on an attribute value of the first DataConnector as well as the RelyingPartyId.

The RelyingPartyId condition in being checked successfully but the Attribute condition is not, no matter what I've tried...

"DEBUG [net.shibboleth.idp.attribute.resolver.AbstractResolverPlugin:246] - Resolver plugin 'D2': activation criteria not met, nothing to do

Cannot find a way to produce more logging on this.

global.xml:

<bean id="D2-access-sps" parent="shibboleth.Conditions.RelyingPartyId">
  <constructor-arg name="candidates">
    <list>
      <value>https://example1.com/sp</value>
      <value>https://example2.com/sp</value>
    </list>
  </constructor-arg>
</bean>

<!-- An AND checking for both Attribute Checking and SP -->
<bean id="ConditionStudents" parent="shibboleth.Conditions.AND">
 <constructor-arg>
  <list>
    
    <bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate" p:useUnfilteredAttributes="true">
      <property name="attributeValueMap">
        <map>
          <entry key="eduPersonAffiliation">
            <list>
              <value>student</value> <!-- * does not match either -->
            </list>
          </entry>
        </map>
      </property>
    </bean>
    
    <bean parent="D2-access-sps" /> <!-- this works if I comment the 1st bean -->

  </list>
 </constructor-arg>
</bean>

attribute-resolver.xml:

    <AttributeDefinition id="eduPersonAffiliation" xsi:type="Simple" preRequested="true">
        <InputDataConnector ref="D1" attributeNames="eduPersonAffiliation"/>
    </AttributeDefinition>
   
    <DataConnector id="D2" xsi:type="LDAPDirectory"
        activationConditionRef="ConditionStudents"
        ...
         
Relevant parts from logs:
2022-01-10 16:01:04,971 -  - DEBUG [net.shibboleth.idp.attribute.resolver.spring.dc.ldap.impl.LDAPDataConnectorParser:128] - Data Connector 'D2': Parsing XML configuration [DataConnector: null]
2022-01-10 16:01:08,709 -  - DEBUG [net.shibboleth.idp.attribute.resolver.spring.BaseResolverPluginDependencyParser:45] - Parsing configuration for InputDataConnector with pluginId: D2
2022-01-10 16:01:08,711 -  - DEBUG [net.shibboleth.idp.attribute.resolver.spring.BaseResolverPluginParser:67] - Parsing configuration for DataConnector plugin with id: D2
2022-01-10 16:01:08,711 -  - DEBUG [net.shibboleth.idp.attribute.resolver.spring.dc.ldap.impl.LDAPDataConnectorParser:128] - Data Connector 'D2': Parsing XML configuration [DataConnector: null]
2022-01-10 16:01:09,991 -  - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:660] - Attribute Resolver 'ShibbolethAttributeResolver': Checking if data connector 'D2' has a circular dependency

2022-01-10 16:02:01,435 -  - DEBUG [net.shibboleth.idp.authn.impl.FinalizeAuthentication:116] - Profile Action FinalizeAuthentication: Canonical principal name was established as 'user at example.com'
2022-01-10 16:02:01,438 -  - DEBUG [net.shibboleth.idp.session.impl.UpdateSessionWithAuthenticationResult:222] - Profile Action UpdateSessionWithAuthenticationResult: Creating new session for principal user at example.com
2022-01-10 16:02:01,457 -  - DEBUG [net.shibboleth.idp.attribute.resolver.dc.ldap.TemplatedExecutableSearchFilterBuilder:214] - Template text (eduPersonPrincipalName=$resolutionContext.principal) yields (eduPersonPrincipalName=user at example.com)
2022-01-10 16:02:01,509 -  - DEBUG [net.shibboleth.idp.attribute.resolver.AbstractDataConnector:225] - Data Connector 'D1': produced the following 11 attributes during resolution [eduPersonEntitlement, eduPersonOrgUnitDN, mail, eduPersonAffiliation, displayName, givenName, eduPersonOrgDN, eduPersonPrincipalName, sn, cn, entryDN]
2022-01-10 16:02:01,510 -  - DEBUG [net.shibboleth.idp.attribute.resolver.AbstractDataConnector:229] - Data Connector 'D1': Attribute 'eduPersonAffiliation': Values '[StringAttributeValue{value=student}]'
2022-01-10 16:02:01,512 -  - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:419] - Attribute Resolver 'ShibbolethAttributeResolver': Data connector 'D1' resolved the following attributes: [eduPersonEntitlement, eduPersonOrgUnitDN, mail, eduPersonAffiliation, displayName, givenName, eduPersonOrgDN, eduPersonPrincipalName, sn, cn, entryDN]
2022-01-10 16:02:01,519 -  - DEBUG [net.shibboleth.idp.attribute.resolver.AbstractAttributeDefinition:139] - Attribute Definition 'eduPersonAffiliation': produced an attribute with the following values [StringAttributeValue{value=student}]
2022-01-10 16:02:01,520 -  - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:336] - Attribute Resolver 'ShibbolethAttributeResolver': Attribute definition 'eduPersonAffiliation' produced an attribute with 1 values
2022-01-10 16:02:01,520 -  - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:529] - Attribute Resolver 'ShibbolethAttributeResolver': Attribute 'eduPersonAffiliation' has 1 values after post-processing
2022-01-10 16:02:01,521 -  - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:634] - Pre-resolved Attributes: [eduPersonAffiliation, eduPersonPrincipalName]

2022-01-10 16:02:01,522 -  - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:441] - Attribute Resolver 'ShibbolethAttributeResolver': Resolving dependencies for 'D2'
2022-01-10 16:02:01,522 -  - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:450] - Attribute Resolver 'ShibbolethAttributeResolver': Finished resolving dependencies for 'D2'
2022-01-10 16:02:01,523 -  - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:396] - Attribute Resolver 'ShibbolethAttributeResolver': Resolving data connector D2
2022-01-10 16:02:01,524 -  - DEBUG [net.shibboleth.idp.attribute.resolver.AbstractResolverPlugin:246] - Resolver plugin 'D2': activation criteria not met, nothing to do
2022-01-10 16:02:01,524 -  - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:422] - Attribute Resolver 'ShibbolethAttributeResolver': Data connector 'D2' produced no attributes

If I remove the SimpleAttributePredicate bean, then everything works as expected.
It is as if eduPersonAffiliation is not available at all when the condition is evaluated, even though it has been resolved.

any ideas?

thanks,

Giannis

More information about the users mailing list