...
That is, it lets the IdP run a method against an input object to get a yes/no answer. The input in the majority of cases is the "root" object of the context state tree that tracks a request from start to finish, of type org.opensaml.profile.context.ProfileRequestContext. By consistently basing everything off of that abstraction, it's possible to build up a library of condition objects that can be used in many different places to implement some kind of check.
The IdP includes a fairly extensive library of such conditions, and there are a number of pre-defined beans provided to help make configuration simpler for a lot of common use cases and we can extend that set over time (and it's easy to submit more examples here that people can cut and paste).
...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<!-- An AND checking for both an SP and a network address --> <bean id="MyCondition" parent="shibboleth.Conditions.AND"> <constructor-arg> <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidate="https://sp.example.com/shibboleth" /> </constructor-arg> <constructor-arg> <bean class="org.opensaml.profile.logic.IPRangePredicate" p:httpServletRequest-ref="shibboleth.HttpServletRequest" p:addressRangesranges="192.168.1.0/24" /> </constructor-arg> </bean> |
...