Namespace: urn:mace:shibboleth:2.0:resolver
Schema: http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
...
The ScriptedAttribute
AttributeDefinition constructs an output attribute via the execution of a JSR-223 script. Scripts are somewhat easier to write and maintain than native Java code, though they are slower. They can also be changed dynamically since the resolver is a ReloadableService.
Scripting
Localtabgroup |
localtab-live Expand |
---|
|
The script "context" defines the execution environment for the script and provides the following variables: resolutionContext id Variable which implements ScriptedIdPAttribute, whose name is the ID of the AttributeDefinition, and which will be the output of the script. Note: If an attribute of this same name occurs as a dependency (see below), then the attribute will be pre-populated with all the values of the dependent attribute.
profileContext custom subjects
In addition, each defined dependency of the connector, it exists, will be present via an object which implements ScriptedIdPAttribute. For an AttributeDefinition dependency, that IdPAttribute is supplied. For a DataConnector dependency, each IdPAttribute produced by that connector is supplied. The variable's name will be the attribute ID of the attribute from the dependency. In the event that more than one dependency produces attributes with the same ID, the values of all of those attributes are merged and made available to the script. Note that any changes made to these dependency objects within the script will not be reflected in the result of the resolution process. In contrast, changes made to other objects accessed by means of the other variables in most cases will cause side effects, and should usually be avoided. localtab-live |
Expand |
---|
title | ScriptedtIdPAttribute Class |
---|
|
Wrapper ClassThe attribute variables (both input and output) available to the scripting environment are exposed using a wrapper class, ScriptedIdPAttribute, which has the following methods: Adding ValuesValues are added by calling the addValue() method. This must take either a String value or an object which implements IdPAttributeValue. The former is the most common case. A useful example of the latter is ScopedStringAttributeValue which has two constructor parameters - the value and scope, respectively. There are also other subclasses available. Thus: Adding a String Attribute Value (Rhino) Code Block |
---|
eduPersonEntitlement.addValue("urn:mace:dir:entitlement:common-lib-terms"); |
Adding a Scoped Attribute Value (Nashorn) Code Block |
---|
| scopedValueType = Java.type("net.shibboleth.idp.attribute.ScopedStringAttributeValue");
eduPersonPrincipalName.addValue(new scopedValueType("user", "example.org")); | localtab-live |
Expand |
---|
|
The standard way of locating other context types in the tree of state information is via context navigation. The following example shows how to locate a peer context and a child context (the actual context types shown are examples only): Locating other contexts Code Block |
---|
| child = resolutionContext.getSubcontext("net.shibboleth.idp.attribute.resolver.ChildContextType");
parent = resolutionContext.getParent();
peer = parent.getSubcontext("net.shibboleth.idp.attribute.resolver.PeerContextType");
| localtab-live |
Expand |
---|
|
The same logging framework used throughout the IdP (SLF4J) may be used for logging within a script. First import the package org.slf4j and then obtain an org.slf4j.Logger object from an org.slf4j.LoggerFactory . The logging category name used is arbitrary, but you may need to adjust the IdP's logging configuration to see particular results. Logging levels available are: error, warn, info, debug, trace. The string passed to the LoggerFactory.getLogger method should be the name of an existing logger element, defined in logging.xml. For more information on configuring logging within the IdP, see the LoggingConfiguration topic. Logging (Rhino) Code Block |
---|
| importPackage(Packages.org.slf4j);
logger = LoggerFactory.getLogger("net.shibboleth.idp.attribute");
Scripted.addValue("foo");
Scripted.addValue("bar");
logger.info("Values of scriptTest were: {} ", Scripted.getValues()); |
Logging (Nashorn) Code Block |
---|
| logger = Java.type("org.slf4j.LoggerFactory").getLogger("net.shibboleth.idp.attribute");
Scripted.addValue("foo");
Scripted.addValue("bar");
logger.info("Values of scriptTest were: {} ", Scripted.getValues()); |
|
Reference
Localtabgroupexpand |
---|
Localtab live |
---|
title | Specific XML Attributes |
---|
|
Name | Type | Default | Description |
---|
language | string | JavaScript | The default is ECMA script using either the Rhino (Java 7) or Nashorn (Java 8+) engines. This situation is in flux due to the removal of Nashorn from future Java versions, and there are plans to provide a V4.1+ plugin that supplies one of these options in the future at the deployer's discretion. | customObjectRef | string | | The name of a Spring Bean defined elsewhere. This bean will be made available to the script in a variable named "custom ". |
localtab-live |
Expand |
---|
| Specific |
The following XML Elements are specific to this connector, and one of them must be supplied: Name | Description |
---|
<Script> | The contents define the script to execute, usually wrapped in an XML CDATA block to avoid escaping | <ScriptFile> | The contents define a file which contains the script to execute |
localtab-live |
Expand |
---|
title | Common XML Attributes |
---|
|
Include Page |
---|
| AttributeDefinitionCommonAttributes |
---|
| AttributeDefinitionCommonAttributes |
---|
| localtab-live |
Expand |
---|
|
Include Page |
---|
| AttributeDefinitionCommonChildElements |
---|
| AttributeDefinitionCommonChildElements |
---|
|
|
V2 Compatibility
Warning |
---|
This support is deprecated and should have been removed in V4, however the change was not warned about sufficiently. This will be removed in V5. |
...
Get eduPersonPrincipalName
from LDAP or build one from uid
Variant 1: A "Prescoped" AttributeDefinition resolves existing eduPersonPrincipalName
values from LDAP, then depends on a "ScriptedAttribute" definition to generate missing values. The Script also needs a dependency on the myLDAP
DataConnector in order to have access to existing eduPersonPrincipalName
and uid
attribute values.
Minimal scripting, using Dependencies (Nashorn)
...