...
That is, it lets the IdP run a method against an input object to get a yes/no answer. The input in the majority of cases is the "root" object of the context state tree that tracks a request from start to finish, of type org.opensaml.profile.context.ProfileRequestContext. By consistently basing everything off of that abstraction, it's possible to build up a library of condition objects that can be used in many different places to implement some kind of check.
The IdP includes a fairly extensive library of such conditions, and there are a number of pre-defined beans provided to help make configuration simpler for a lot of common use cases and we can extend that set over time (and it's easy to submit more examples here that people can cut and paste).
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<!-- A script that checks a Relying Party name --> <bean id="MyCondition" parent="shibboleth.Conditions.Scripted" factory-method="inlineScript"> <constructor-arg> <value> <![CDATA[ "use strict"; var result = false; // an implementation of Predicate<ProfileRequestContext> // The IdP environment provides two variables "profileContext" and "custom". // the profileContext argument is of type: // profileContext is of //type org.opensaml.profile.context.ProfileRequestContext // custom is whatever you injected // The value of the last statement in this function is the reurn value var id = "https://sp.example.com/shibboleth"; // an entityID // specify the child context of the root ProfileRequestContext var subcontextClass = "net.shibboleth.idp.profile.context.RelyingPartyContext"; var subcontext; // check the parameter if (profileContext!== null) { // check the entityID of the relying party subcontext = profileContext.getSubcontext(subcontextClass); if (subcontext !== null) { result = subcontext.getRelyingPartyId().equals(id); } } result; ]]> </value> </constructor-arg> </bean> |
...
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<!-- An AND checking for both an SP and a network address --> <bean id="MyCondition" parent="shibboleth.Conditions.AND"> <constructor-arg> <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="https://sp.example.com/shibboleth" /> </constructor-arg> <constructor-arg> <bean class="org.opensaml.profile.logic.IPRangePredicate" p:httpServletRequest-ref="shibboleth.HttpServletRequest" p:addressRangesranges="192.168.1.0/24" /> </constructor-arg> </bean> |
...