Namespace: urn:mace:shibboleth:2.0:resolver
Schema: http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
Overview
The ScriptedAttribute
AttributeDefinition constructs an output attribute via the execution of a JSR-223 script. Scripts are somewhat easier to write and maintain than native Java code, though they are slower. They can also be changed dynamically since the resolver is a ReloadableService.
Scripting
Reference
Examples
Get eduPersonPrincipalName
from LDAP or build one from uid
Variant 1: A "Prescoped" AttributeDefinition resolves existing eduPersonPrincipalName
values from LDAP, then depends on a "ScriptedAttribute" definition to generate missing values. The Script also needs a dependency on the myLDAP
DataConnector in order to have access to existing eduPersonPrincipalName
and uid
attribute values.
Minimal scripting, using Dependencies (Nashorn)
<AttributeDefinition id="eduPersonPrincipalName" xsi:type="Prescoped"> <InputAttributeDefinition ref="eppnFromUid" /> </AttributeDefinition> <AttributeDefinition id="eppnFromUid" xsi:type="ScriptedAttribute" dependencyOnly="true"> <InputDataConnector ref="myLDAP" attributeNames="eduPersonPrincipalName uid" /> <Script><![CDATA[ if (typeof eduPersonPrincipalName == "undefined") eppnFromUid.addValue(uid.getValues().get(0) + "@example.org"); ]]></Script> </AttributeDefinition>
Variant 2: Doing everything in one "ScriptedAttribute" definition. Since the eduPersonPrincipalName
values from LDAP will contain the scope but are simple strings at this point, we'll have to empty out the collection of values before adding the properly scope-aware values based on ScopedStringAttributeValue
(described above).
All in one Script (Nashorn)
<AttributeDefinition id="eduPersonPrincipalName" xsi:type="ScriptedAttribute"> <InputDataConnector ref="myLDAP" attributeNames="eduPersonPrincipalName uid" /> <Script><![CDATA[ logger = Java.type("org.slf4j.LoggerFactory").getLogger("org.example.eppnbuilder"); scopedValueType = Java.type("net.shibboleth.idp.attribute.ScopedStringAttributeValue"); var localpart = ""; if (typeof eduPersonPrincipalName == "undefined" || eduPersonPrincipalName.getValues().size() < 1) { logger.debug("No ePPN in LDAP found, creating one"); localpart = uid.getValues().get(0); } else { logger.debug("ePPN had value: " + eduPersonPrincipalName.getValues().get(0)); localpart = eduPersonPrincipalName.getValues().get(0).split("@")[0]; eduPersonPrincipalName.getValues().retainAll([]); } eduPersonPrincipalName.addValue(new scopedValueType(localpart, "example.org")); logger.debug("ePPN final value: " + eduPersonPrincipalName.getValues().get(0)); ]]></Script> </AttributeDefinition>