Configuring a Scriptlet Attribute Definition

NOTE: This connector is only included since IdP 1.3.1 (see announcement e-mail). If you use an earlier IdP release, you may retrieve it from the source control system if you feel comfortable doing so.

This attribute definition allows Java code to be written in the definition and executed when the attribute is requested. This provides nearly limitless flexibility for creating or transforming attributes. The scripts are processed by the BeanShell interpreter.

Configuring the Definition

  1. Create a ScriptletAttributeDefinition element with its id attribute.
  2. Create a Scriptlet element, child of ScriptletAttributeDefinition, whose content is Java code that should be executed when this attribute is requested. You may wish to place this data in a CDATA section to ensure it does not interfere with the XML processing.

The following fields are made available and may be used in the code

Field Name

Field Type

Description

resolverAttribute

edu.internet2.middleware.shibboleth.aa.attrresolv.ResolverAttribute

The incoming attribute

principal

java.security.Principal

The principal of the user whose attributes are being fetched

requester

String

The ID of the service provider to whom the attributes are going

responder

String

The ID of the identity provider

dependencies

edu.internet2.middleware.shibboleth.aa.attrresolv.Dependencies

The connectors and attributes this definition depends on

log

org.apache.log4j.Logger

The logger for this definition

Example Configuration

<ScriptletAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonAffiliation">
    <DataConnectorDependency requires="directory"/>
        <Scriptlet><![CDATA[
            Attributes attributes = dependencies.getConnectorResolution("directory");
            Attribute affiliation = attributes.get("eduPersonAffiliation");
            if (affiliation.size() > 0) {
                resolverAttribute.addValue("affiliate");
            }
        ]]></Scriptlet>
</ScriptletAttributeDefinition>

Example Configuration for common-lib-terms

This example sets the eduPersonEntitlement to the common-lib-terms URN for a principal with affiliation staff or student while keeping any entitlement values retrieved from the directory.

For the definition of common-lib-terms, refer to http://middleware.internet2.edu/urn-mace/urn-mace-dir-entitlement.html.

<ScriptletAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonEntitlement">
   <DataConnectorDependency requires="directory"/>
   <AttributeDependency requires="urn:mace:dir:attribute-def:eduPersonAffiliation" />
   <Scriptlet><![CDATA[
Attributes attributes = dependencies.getConnectorResolution("directory");

Attribute entitlement = attributes.get("eduPersonEntitlement");

// add values from directory
for (int i = 0; entitlement != null && i < entitlement.size(); i++)
{
    resolverAttribute.addValue(entitlement.get(i));
}

// add common-lib-terms for staff and student
Attribute attribute = attributes.get("eduPersonAffiliation");
if (attribute.contains("staff") ||
    attribute.contains("student"))
{
    resolverAttribute.addValue("urn:mace:dir:entitlement:common-lib-terms");
}
      ]]>
   </Scriptlet>
</ScriptletAttributeDefinition>