Configuring a Scriptlet Attribute Definition
NOTE: This definition has not yet been included in an !IdP release but may be retrieved connector is only included since IdP 1.3.1 (see announcement e-mail). If you use an earlier IdP release, you may retrieve it from the source control system if you feel comfortable doing so until is it available in another, easier to install, from.
This attribute definition allows Java code to be written in the definition and executed when the attribute is requested. This provides nearly limitless flexability flexibility for creating or tansforming transforming attributes. The scripts are processed by the BeanShell interpreter.
Include Page | ||||
---|---|---|---|---|
|
Configuring the Definition
- Create a ScriptletAttributeDefinition element with its id attribute.
- Create a Scriptlet element, child of ScriptletAttributeDefinition, whose content is Java code that should be executed when this attribute is requested. You may wish to place this data in a CDATA section to ensure it does not interfere with the XML processing.
...
Field Name | Field Type | Description |
resolverAttribute | edu.internet2.middleware.shibboleth.aa.attrresolv.ResolverAttribute | The incoming attribute |
principal | java.security.Principal | The principal of the user whose attributes are being fetched |
requester | String | The ID of the service provider to whom the attributes are going |
responder | String | The ID of the identity provider |
dependencies | edu.internet2.middleware.shibboleth.aa.attrresolv.Dependencies | The connectors and attributes this definition depends on |
log | org.apache.log4j.Logger | The logger for this definition |
Example Configuration
Code Block | ||||
---|---|---|---|---|
| ||||
<ScriptletAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonAffiliation"> <DataConnectorDependency requires="directory"/> <Scriptlet><![CDATA[ Attributes attributes = dependencies.getConnectorResolution("directory"); Attribute affiliation = attributes.get("eduPersonAffiliation"); if (affiliation.size() > 0) { resolverAttribute.addValue("affiliate"); } ]]>< Attribute affiliation = attributes.get("eduPersonAffiliation"); if (affiliation.size() > 0) { resolverAttribute.addValue("affiliate"); } ]]></Scriptlet> </ScriptletAttributeDefinition> |
Example Configuration for common-lib-terms
This example sets the eduPersonEntitlement to the common-lib-terms URN for a principal with affiliation staff
or student
while keeping any entitlement values retrieved from the directory.
For the definition of common-lib-terms, refer to http://middleware.internet2.edu/urn-mace/urn-mace-dir-entitlement.html.
Code Block | ||||
---|---|---|---|---|
| ||||
<ScriptletAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonEntitlement">
<DataConnectorDependency requires="directory"/>
<AttributeDependency requires="urn:mace:dir:attribute-def:eduPersonAffiliation" />
<Scriptlet><![CDATA[
Attributes attributes = dependencies.getConnectorResolution("directory");
Attribute entitlement = attributes.get("eduPersonEntitlement");
// add values from directory
for (int i = 0; entitlement != null && i < entitlement.size(); i++)
{
resolverAttribute.addValue(entitlement.get(i));
}
// add common-lib-terms for staff and student
Attribute attribute = attributes.get("eduPersonAffiliation");
if (attribute.contains("staff") ||
attribute.contains("student"))
{
resolverAttribute.addValue("urn:mace:dir:entitlement:common-lib-terms");
}
]]>
</Scriptlet>
</ScriptletAttributeDefinition>
|
Example Configuration for using the Active Directory objectSid as a uniqueID
As the following example shows, you can do even more complex things with the scriptlet attribute engine like converting an attribute. The code below uses the binary "objectSid" attribute to generate a uniqueID attribute that is common in some federations like SWITCHaai.
Code Block | ||||
---|---|---|---|---|
| ||||
<!-- Convert objectSid and objectGUID to uniqueID -->
<ScriptletAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonUniqueID">
<DataConnectorDependency requires="directory"/>
<Scriptlet><![CDATA[
// Import Apache commons codes
import org.apache.commons.codec.digest.DigestUtils;
// Get attributes
Attributes attributes = dependencies.getConnectorResolution("directory");
// Get objectSid
Attribute obsid = attributes.get("objectSid");
Attribute obguid = attributes.get("objectGUID");
// Generate md5 hex of objectSid
String uniqueValue = (String)obguid.get(0) + (String)obsid.get(0);
//System.out.println("Unique value: " + uniqueValue );
String localpart = DigestUtils.md5Hex(uniqueValue);
// Add attribute
//System.out.println("UniqueID: " + localpart + "@switch.ch");
resolverAttribute.addValue( localpart + "@switch.ch");
]]>
</Scriptlet>
</ScriptletAttributeDefinition>
|
Example Configuration for using memberOf attributes to generate affiliation
Code Block | ||||
---|---|---|---|---|
| ||||
<ScriptletAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonAffiliation">
<DataConnectorDependency requires="directory"/>
<Scriptlet><![CDATA[
Attributes attributes = dependencies.getConnectorResolution("directory");
Attribute memberOf = attributes.get("memberOf");
// add values from directory
String value = "none";
boolean student = false;
boolean faculty = false;
boolean staff = false;
boolean member = false;
for (int i = 0; memberOf != null && i < memberOf.size(); i++)
{
value = memberOf.get(i);
if (value.indexOf("Stud") > 0){
student = true;
}
if (value.indexOf("Doz") > 0){
faculty = true;
}
if (value.indexOf("Lehr") > 0){
faculty = true;
}
}
if (!student && !faculty){
staff = true;
}
if (student){
resolverAttribute.addValue("student");
}
if (faculty){
resolverAttribute.addValue("faculty");
}
if (staff || faculty){
resolverAttribute.addValue("staff");
}
if (student || staff){
resolverAttribute.addValue("affiliate");
}
]]>
</Scriptlet>
</ScriptletAttributeDefinition>
|
Include Page | ||||
---|---|---|---|---|
|
Include Page | ||||
---|---|---|---|---|
|