...
That is, it lets the IdP run a method against an input object to get a yes/no answer. The input in the majority of cases is the "root" object of the context state tree that tracks a request from start to finish, of type org.opensaml.profile.context.ProfileRequestContext. By consistently basing everything off of that abstraction, it's possible to build up a library of condition objects that can be used in many different places to implement some kind of check.
The IdP includes a fairly extensive library of such conditions, and there are a number of pre-defined beans provided to help make configuration simpler for a lot of common use cases and we can extend that set over time (and it's easy to submit more examples here that people can cut and paste).
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<!-- A script that checks a Relying Party name --> <bean id="MyCondition" parent="shibboleth.Conditions.Scripted" factory-method="inlineScript"> <constructor-arg> <value> <![CDATA[ "use strict"; var result = false; // an implementation of Predicate<ProfileRequestContext> // The IdP environment provides two variables "profileContext" // if the predicate function returns true, the activation conditionand "custom". // is satisfied. // // the profileContext argument is of type: // org.opensaml.profile.context.ProfileRequestContext // custom // is whatever you injected (function (context) { // The value of the last statement "use strict"; in this function is the reurn value var id = "https://sp.example.com/shibboleth"; // an entityID // specify the child context of the root ProfileRequestContext var subcontextClass = "net.shibboleth.idp.profile.context.RelyingPartyContext"; var subcontext; // check the parameter if (context === null) { return false; } profileContext!== null) { // check the entityID of the relying party subcontext = contextprofileContext.getSubcontext(subcontextClass); if (subcontext !=== null) { return false; } result return= subcontext.getRelyingPartyId().equals(id); } }(profileContext)) } result; ]]> </value> </constructor-arg> </bean> |
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<!-- An AND checking for both an SP and a network address --> <bean id="MyCondition" parent="shibboleth.Conditions.AND"> <constructor-arg> <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="https://sp.example.com/shibboleth" /> </constructor-arg> <constructor-arg> <bean class="org.opensaml.profile.logic.IPRangePredicate" p:httpServletRequest-ref="shibboleth.HttpServletRequest" p:addressRangesranges="192.168.1.0/24" /> </constructor-arg> </bean> |
...