<!--
Returns true if a user's directory entity authorizes use of the "basic" profile or
if the active results include the "mfa" profile constant.
-->
<bean id="shibboleth.context-check.Condition" parent="shibboleth.Conditions.OR">
<constructor-arg>
<list>
<bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate"
p:useUnfilteredAttributes="true">
<property name="attributeValueMap">
<map>
<entry key="eduPersonAssurance">
<list>
<value>http://id.incommon.org/assurance/basic</value>
</list>
</entry>
</map>
</property>
</bean>
<ref bean="CheckForMFA" />
</list>
</constructor-arg>
</bean>
<!-- Checks all the active authentication results for the appropriate AuthnContextClassRefPrincipal. -->
<bean id="CheckForMFA" parent="shibboleth.Conditions.Scripted" factory-method="inlineScript">
<constructor-arg>
<value>
<![CDATA[
value = false;
principalType = Java.type("net.shibboleth.idp.saml.authn.principal.AuthnContextClassRefPrincipal");
subjectCtx = profileContextinput.getSubcontext("net.shibboleth.idp.authn.context.SubjectContext");
if (subjectCtx != null) {
var subjectIter = subjectCtx.getSubjects().iterator();
while (!value && subjectIter.hasNext()) {
var princIter = subjectIter.next().getPrincipals(principalType.class).iterator();
while (!value && princIter.hasNext()) {
if (princIter.next().getName() == "http://id.incommon.org/assurance/mfa") {
value = true;
}
}
}
}
value;
]]>
</value>
</constructor-arg>
</bean> |