...
We also supply public implementations of this interface such that the logic can be supplied via a script or via a Spring Expression, avoiding the overhead of creating a new Java class in a separate jarextension library.
Use Cases
Some of the advanced uses you might have for this feature include:
...
| Expand |
|---|
|
| Code Block |
|---|
| <!-- A script that checks a Relying Party name -->
<bean id="MyCondition" parent="shibboleth.Conditions.Scripted" factory-method="inlineScript">
<constructor-arg>
<value>
<![CDATA[
"use strict";
var result = false;
// an implementation of Predicate<ProfileRequestContext>
// The IdP environment provides two variables "profileContext" and "custom".
// profileContext is of type org.opensaml.profile.context.ProfileRequestContext
// custom is whatever you injected
// The value of the last statement in this function is the reurn value
var id = "https://sp.example.com/shibboleth"; // an entityID
// specify the child context of the root ProfileRequestContext
if (profileContext!== null) {
// check the entityID of the relying party
var subcontext = profileContext.getSubcontext("net.shibboleth.idp.profile.context.RelyingPartyContext");
if (subcontext !== null) {
result = subcontext.getRelyingPartyId().equals(id);
}
}
result;
]]>
</value>
</constructor-arg>
</bean> |
|
...
| Expand |
|---|
| title | Spring Expression Example |
|---|
|
| Code Block |
|---|
| <!-- A Spring Expression that checks a Relying Party name -->
<bean id="MyCondition" parent="shibboleth.Conditions.Expression">
<constructor-arg>
<value>
#profileContext.getSubcontext(T(net.shibboleth.idp.profile.context.RelyingPartyContext)).getRelyingPartyId().equals("https://sp.example.com/shibboleth")
</value>
</constructor-arg>
</bean> |
|
...
| Expand |
|---|
| title | Relying Party By Tag |
|---|
|
| Code Block |
|---|
| <!-- Tag condition -->
<bean id="MyCondition" parent="shibboleth.Conditions.EntityDescriptor">
<constructor-arg name="pred">
<bean classparent="net.shibboleth.idp.saml.profile.logic.MappedEntityAttributesPredicateConditions.MappedEntityAttributes">
<constructor-arg>
<list>
<bean classparent="org.opensaml.saml.common.profile.logic.EntityAttributesPredicate.Candidateshibboleth.TagCandidate"
c:name="http://macedir.org/entity-category"
p:values="#{{ 'http://refeds.org/category/research-and-scholarship', 'http://example.org/mycategory' }}" />
</list>
</constructor-arg>
</bean>
</constructor-arg>
</bean> |
|
...
| Code Block |
|---|
|
<bean id="MyCondition" class="org.opensaml.profile.logic.IPRangePredicate"
p:httpServletRequesthttpServletRequestSupplier-ref="shibboleth.HttpServletRequestHttpServletRequestSupplier"
p:ranges="#{ {'192.168.1.0/24', '192.168.2.0/28'} }" /> |
See this link for more details
...
| Expand |
|---|
| title | Attribute Checking Examples |
|---|
|
| Code Block |
|---|
| <!-- Check for a particular entitlement -->
<bean classparent="net.shibboleth.idp.profile.logic.SimpleAttributePredicateConditions.SimpleAttribute" p:useUnfilteredAttributes="true">
<property name="attributeValueMap">
<map>
<entry key="entitlement">
<list>
<value>urn:mace:dir:entitlement:common-lib-terms</value>
</list>
</entry>
</map>
</property>
</bean>
<!-- Check that an eduPersonPrincipalName exists -->
<bean classparent="net.shibboleth.idp.profile.logic.SimpleAttributePredicateConditions.SimpleAttribute">
<property name="attributeValueMap">
<map>
<entry key="eppn">
<list>
<value>*</value>
</list>
</entry>
</map>
</property>
</bean> |
|
...
| Expand |
|---|
| title | Specific Relying Party AND Client Address Range |
|---|
|
| Code Block |
|---|
| <!-- An AND checking for both an SP and a network address -->
<bean id="MyCondition" parent="shibboleth.Conditions.AND">
<constructor-arg>
<bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="https://sp.example.com/shibboleth" />
</constructor-arg>
<constructor-arg>
<bean class="org.opensaml.profile.logic.IPRangePredicate"
p:httpServletRequesthttpServletRequestSupplier-ref="shibboleth.HttpServletRequestHttpServletRequestSupplier"
p:ranges="192.168.1.0/24" />
</constructor-arg>
</bean> |
|
...