The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.

ScriptedDataConnector

Owned by Rod Widdowson
Last updated: Nov 30, 2016 by Scott Cantor
2 min read

The ScriptedDataConnector data connector allows the creation of multiple attributes by a JSR-233 script.

When specified in the urn:mace:shibboleth:2.0:resolver:dc namespace, the xsi:type was Script.

Schema Name and Location

This xsi:type is defined by the urn:mace:shibboleth:2.0:resolver schema 3.3, located at http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd.

Prior to V3.3 supplied plugins were defined by a schema type (xsi:type) in the urn:mace:shibboleth:2.0:resolver:dc namespace, the schema for which is located at http://shibboleth.net/schema/idp/shibboleth-attribute-resolver-dc.xsd. This is still supported, but every element or type in the  urn:mace:shibboleth:2.0:resolver:dc namespace has an equivalently named (but not necessarily identical) version in the urn:mace:shibboleth:2.0:resolver namespace. The use of the urn:mace:shibboleth:2.0:resolver namespace also allows a relaxation of the ordering requirements of child elements to reduce strictness.

Attributes

Any of the common attributes can be specified. 

In addition, the following attributes may be provided:

Name
Type
Req?
Default
Description
language
stringNJavaScriptDefines the JSR-233 language to use. The default is ECMA script using either the Rhino (Java 7) or Nashorn (Java 8) engines.

customObjectRef 3.2

stringN The name of a Spring Bean defined elsewhere. This bean will be made available to the script with the name "custom". See the ScriptedAttributeDefinition for more details

Child Elements

Any of the common child elements can be specified. In addition one of the following two elements must be defined:

NameCardinalityDescription
<Script>


0 or 1 (total)

The contents define the script to execute
<ScriptFile>The contents define a file which contains the script to execute

Script Context

The script will have the following variables available:

  • resolutionContext
  • connectorResults
    • a List which the connector populates with IdPAttribute objects.  These form the output of the dataconnector.
  • profileContext
  • custom 3.2
    • contains whatever was provided by the customObjectRef attribute (see above)
  • subjects 3.3
    • an array of the java javax.security.auth.Subject objects associated with this authorization.  Note that these will only be present if the attribute resolution has been associated with an Authentication (and so this will not work for back channel requests).

Examples

Rhino (Java 7) Scripted Data Connector 
<DataConnector id="ScriptedAttributeConnector" xsi:type="ScriptedDataConnector">
	<Script><![CDATA[
importPackage(Packages.net.shibboleth.idp.attribute);
importPackage(Packages.java.util);
importPackage(Packages.java.lang);

attr = new IdPAttribute("ScriptedOne");
set = new HashSet(2);
set.add(new StringAttributeValue("Value 1"));
set.add(new StringAttributeValue("Value 2"));
attr.setValues(set);
connectorResults.add(attr);
attr = new IdPAttribute("TwoScripted");
set = new HashSet(3);
set.add(new StringAttributeValue("1Value"));
set.add(new StringAttributeValue("2Value"));
set.add(new StringAttributeValue("3Value"));
attr.setValues(set);
connectorResults.add(attr);
	]]></Script>
</DataConnector>
Nashorn (Java 8) Scripted Data Connector 
<DataConnector id="ScriptedAttributeConnector" xsi:type="ScriptedDataConnector">
	<Script><![CDATA[
IdPAttribute = Java.type("net.shibboleth.idp.attribute.IdPAttribute");
StringAttributeValue = Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
HashSet = Java.type("java.util.HashSet");
Integer = Java.type("java.lang.Integer");

attr = new IdPAttribute("ScriptedOne");
set = new HashSet(2);
set.add(new StringAttributeValue("Value 1"));
set.add(new StringAttributeValue("Value 2"));
attr.setValues(set);
connectorResults.add(attr);

attr = new IdPAttribute("TwoScripted");
set = new HashSet(3);
set.add(new StringAttributeValue("1Value"));
set.add(new StringAttributeValue("2Value"));
set.add(new StringAttributeValue("3Value"));
attr.setValues(set);
connectorResults.add(attr);
	]]></Script>
</DataConnector>

Spring Configuration 3.1

The Script Data Connector can be configured using the springResources or springResourcesRef attributes, but this is deprecated since it renders the "custom" object unusable.

A single bean can be specified, being of type EvaluableScript.