Versions Compared

Old Version 38

changes.mady.by.user trscavo@ncsa.illinois.edu

Saved on

compared with

New Version Current

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

That is, it lets the IdP run a method against an input object to get a yes/no answer. The input in the majority of cases is the "root" object of the context state tree that tracks a request from start to finish, of type org.opensaml.profile.context.ProfileRequestContext. By consistently basing everything off of that abstraction, it's possible to build up a library of condition objects that can be used in many different places to implement some kind of check.

The IdP includes a fairly extensive library of such conditions, and there are a number of pre-defined beans provided to help make configuration simpler for a lot of common use cases and we can extend that set over time (and it's easy to submit more examples here that people can cut and paste).

...

Code Block
languagexml
titleJavascript Example
collapsetrue
<!-- A script that checks a Relying Party name -->
<bean id="MyCondition" parent="shibboleth.Conditions.Scripted" factory-method="inlineScript">
	<constructor-arg>
		<value>
        <![CDATA[
			"use strict";
			var result = false;

            // an implementation of Predicate<ProfileRequestContext>
            // The IdP environment provides two variables "profileContext"      // if the predicate function returns true, the activation conditionand "custom".  
          // is satisfied.
            //
            // the profileContext argument is of type:             // org.opensaml.profile.context.ProfileRequestContext
            //     custom  //        is whatever you injected 
(function (context) {          // The value of the last statement "use strict";

   in this function is the reurn value
            var id = "https://sp.example.com/shibboleth";  // an entityID



              // specify the child context of the root ProfileRequestContext
                var subcontextClass = "net.shibboleth.idp.profile.context.RelyingPartyContext";
  
             var subcontext;

                // check the parameter
   
            if (context === null) { return false; }

profileContext!== null) {
               // check the entityID of the relying party

               subcontext = contextprofileContext.getSubcontext(subcontextClass);
                if (subcontext !=== null) {
return false; }                result return= subcontext.getRelyingPartyId().equals(id);
               } 
           }(profileContext))  }
             result;
        ]]>
		</value>
	</constructor-arg>
</bean>

...

Code Block
languagexml
titleSpecific Relying Party AND Client Address Range
collapsetrue
<!-- An AND checking for both an SP and a network address -->
<bean id="MyCondition" parent="shibboleth.Conditions.AND">
	<constructor-arg>
		<bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="https://sp.example.com/shibboleth" />
	</constructor-arg>
	<constructor-arg>
		<bean class="org.opensaml.profile.logic.IPRangePredicate"
				p:httpServletRequest-ref="shibboleth.HttpServletRequest"
				p:addressRangesranges="192.168.1.0/24" />
	</constructor-arg>
</bean>

...