The Shibboleth IdP V4 software will leave support on September 1, 2024.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Current »

Namespace: urn:mace:shibboleth:2.0:afp
Schema: http://shibboleth.net/schema/idp/shibboleth-afp.xsd

Overview

The Script type allows definition of complex filtering with a scriptlet as either a Mapper or a PolicyRule depending on the location. The script is either a Policy Rule or a Mapper depending on its location:

  • If the script is specified within the scope of an <AttributeRule> element then the script has to be Mapper, returning a Set<IdPAttributeValue>, which is added to the permit or deny list for the attribute in question.

  • If the script is specified within the scope of a <PolicyRequirementRule> element then the script has to be a PolicyRule (returning a Boolean), which defines whether the rule is active or not.

Data Available to the Script

Name

Type

Description

filterContext

AttributeFilterContext

The AttributeFilter context provides some information about the request, and a mechanism to navigate to other contexts in the tree

profileContext

ProfileRequestContext

The root context for the request

attribute (Matcher Only)

IdPAttribute

The attribute being filtered

custom

Object

Contains whatever was provided by the customObjectRef attribute (see above)

subjects

Array of Subject

The Subjects associated with this authorization.  Note that these will only be present if the attribute resolution has been associated with an Authentication (and so this will not work for back channel requests).

Reference

Examples

This simple rule just adds the first value of the attribute "mail" to its permit list:

Inline Matcher
<AttributeRule attributeID="mail">
	<PermitValueRule xsi:type="Script">
		<Script>
        <![CDATA[
            hashSetType = Java.type("java.util.LinkedHashSet");
            result = new hashSetType();
            result.add(attribute.getValues().iterator().next());
            result;
        ]]>
		</Script>
	</PermitValueRule>
</AttributeRule>

This example uses an external script file that determines the applicability of the rule based on an implied condition. It just demonstrates the mechanics of returning true or false from a script.

Externally specified PolicyRule
<AttributeFilterPolicy id="Example">
	<PolicyRequirementRule xsi:type="Script" language="JavaScript">
		<ScriptFile>%{idp.home}/conf/scripts/simple.js</ScriptFile>
	</PolicyRequirementRule>
</AttributeFilterPolicy>
Simple JavaScript PolicyRule
boolType = Java.type("java.lang.Boolean");
if (/* Some sort of condition */) {
  result = new boolType(false);
} else {
  result = new boolType(true);
}
result;

  • No labels