The ScriptedAttribute attribute definition constructs an output attribute via the execution of a JSR-223 script.
...
Of course, for new scripts created for V3 alone, this isn't necessary.
Examples
Get eduPersonPrincipalName from LDAP or build one from uid
Variant 1: A "Prescoped" AttributeDefinition resolves existing eduPersonPrincipalName values from LDAP, plus it depends on the "ScriptedAttribute" one to generate missing values. The Script also needs a Dependency The ScriptedAttribute definition has a dependency on the myLDAP DataConnector in order to have access to existing any eduPersonPrincipalName and uid attribute values.
(Note that this variant will generate WARN-level entries in idp-process.log, due to the use of 2 Dependency elements while the specified sourceAttributeID only exists in one of them. That's a known issue with the resolver schema. To avoid the warning from getting logged you can add an entry to your logback.xml for the appropriate class ("net.shibboleth.idp.attribute.resolver.PluginDependencySupport"), setting the level to ERROR.)
| Code Block | ||||
|---|---|---|---|---|
| ||||
<AttributeDefinition id="eduPersonPrincipalName" xsi:type="Prescoped">
<InputAttributeDefinition ref="eppnFromUid" />
<AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
<AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition id="eppnFromUid" xsi:type="ScriptedAttribute" dependencyOnly="true">
<InputDataConnector ref="myLDAP" attributeNames="eduPersonPrincipalName uid" />
<Script><![CDATA[if (typeof eduPersonPrincipalName == "undefined") eppnFromUid.addValue(uid.getValues().get(0) + "@%{idp.scope}");]]></Script>
</AttributeDefinition> |
...