The ScriptedAttribute
attribute definition constructs an output attribute via the execution of a JSR-223 script.
...
Of course, for new scripts created for V3 alone, this isn't necessary.
Examples
Get eduPersonPrincipalName
from LDAP or build one from uid
Variant 1: A "Prescoped" AttributeDefinition resolves existing eduPersonPrincipalName
values from LDAP, plus it depends on the "ScriptedAttribute" one to generate missing values. The Script also needs a Dependency The ScriptedAttribute definition has a dependency on the myLDAP
DataConnector in order to have access to existing any eduPersonPrincipalName
and uid
attribute values.
(Note that this variant will generate WARN
-level entries in idp-process.log, due to the use of 2 Dependency
elements while the specified sourceAttributeID
only exists in one of them. That's a known issue with the resolver schema. To avoid the warning from getting logged you can add an entry to your logback.xml for the appropriate class ("net.shibboleth.idp.attribute.resolver.PluginDependencySupport"), setting the level to ERROR
.)
Code Block | ||||
---|---|---|---|---|
| ||||
<AttributeDefinition id="eduPersonPrincipalName" xsi:type="Prescoped"> <InputAttributeDefinition ref="eppnFromUid" /> <AttributeEncoder xsi:type="SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" /> <AttributeEncoder xsi:type="SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" /> </AttributeDefinition> <AttributeDefinition id="eppnFromUid" xsi:type="ScriptedAttribute" dependencyOnly="true"> <InputDataConnector ref="myLDAP" attributeNames="eduPersonPrincipalName uid" /> <Script><![CDATA[if (typeof eduPersonPrincipalName == "undefined") eppnFromUid.addValue(uid.getValues().get(0) + "@%{idp.scope}");]]></Script> </AttributeDefinition> |
...