Versions Compared

Old Version 6

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 7

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The underlying web interface, which is managed as an AdministrativeConfiguration, looks like this:

...

http[s]://localhost/idp/profile/admin/resolvertest?principal=jdoe&requester=https%3A%2F%2Fsp.example.org%2Fsp

The same thing on the command line would be:

...

$

...

/opt/shibboleth-idp/bin/aacli.sh

...

-n

...

jdoe

...

-r

...

https://sp.example.org/sp

The parameters supported and their corresponding command line options are:

Query String

Command Line

Description

requester

--requester, -r

Required, identifies the relying party (SP) to simulate a resolution for

principal

--principal, -n

Required, names the subject/user to simulate a resolution for

acsIndex

--acsIndex, -i

Identifies the index of anĀ <md:AttributeConsumingService> element in the SP's metadata, which allows certain uncommonly used filtering rules to be run

saml1

--saml1

Value is ignored, if present causes the output to be encoded into a SAML 1.1 assertion

saml2

--saml2

Value is ignored, if present causes the output to be encoded into a SAML 2.0 assertion

The tool essentially reproduces the results that would ordinarily be produced during a SSO or Attribute Query request. There are a couple of caveats to the reproduction of the results:

  • It bypasses any caching of results by data connectors so can occasionally provide different output, but this can help identify issues involving caching.

  • It can produce the same output under the assumption that plugins don't do unusual things that would be impossible to reproduce outside of a real transaction.

As an example of the second, if the resolution of data depended on some characteristic of the client, such as a network address, that would be unlikely to behave consistently, as would a scenario where the resolution of the data depended on details from the authentication process aside from just the canonicalized principal name.

...

V4.1 includes properties to control various aspects of the flow's behavior using an internally-defined bean that may be overridden if required.

Localtabgroup
Localtab live
activetrue
titleProperties (V4.1+)

The general properties configuring this flow via admin/admin.properties are:

Name

Default

Description

idp.resolvertest.logging

ResolverTest

Audit log identifier for flow

idp.resolvertest.accessPolicy

AccessByIPAddress

Name of access control policy for request authorization

idp.resolvertest.authenticated

false

Whether authentication should be performed prior to access control evaluation

idp.resolvertest.nonBrowserSupported

false

Whether the flow should allow for non-browser clients during authentication

idp.resolvertest.resolveAttributes

false

Whether attributes should be resolved prior to access control evaluation

Localtab live
titleFlow Descriptor XML (V4.1+)

To replace the internally defined flow descriptor bean, the following XML is required:

Code Block
languagexml
<util:list id="shibboleth.AvailableAdminFlows">
 
    <bean parent="shibboleth.AdminFlow"
        c:id="http://shibboleth.net/ns/profiles/resolvertest"
        p:loggingId="%{idp.resolvertest.logging:ResolverTest}"
        p:policyName="%{idp.resolvertest.accessPolicy:AccessByIPAddress}"
        p:nonBrowserSupported="%{idp.resolvertest.nonBrowserSupported:false}"
        p:authenticated="%{idp.resolvertest.authenticated:false}"
        p:resolveAttributes="%{idp.resolvertest.resolveAttributes:false}" />
 
</util:list>

In older versions and upgraded systems, this list is defined in conf/admin/general-admin.xml. In V4.1+, no default version of the list is provided and it may simply be placed in conf/global.xml if needed.