The Shibboleth IdP V3 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP4 wiki space for current documentation on the supported version.
PredefinedBeans
- Rod Widdowson
- Scott Cantor
A standard IdP configuration provides you with many "named beans" which are there to simplify configuration and to reduce the burden of remembering the specific class names. For ease of navigation, this topic divides them into three groups, Predicates (including ActivationConditions), Functions and other beans.
Predicates
All Predicates beans are implementation of the Predicate interface, that is to say they are given a "thing" and return true or false.
Logic
shibboleth.Conditions.FALSEÂ - always return FALSE for any input
shibboleth.Conditions.TRUEÂ -Â always return TRUE for any input
shibboleth.Conditions.AND - the result is the logical conjunction of two (similarly typed) conditions
shibboleth.Conditions.ORÂ Â - the result is the logical disjunction of two (similarly typed) conditions
shibboleth.Conditions.NOT - the result is the logical negation of the provided condition
Activation
The most important use of Predicates is in ActivationConditions, and the majority of the predefined beans are of type Predicate<ProfileRequestContext>. In the role of ActivationConditions they are called with the current ProfileRequestContext.
shibboleth.Conditions.BrowserProfile
Â- return TRUE if the current profile is one which assumes browser interaction.shibboleth.Conditions.RelyingPartyId
Â- return TRUE based on the entityID of the relying partyÂshibboleth.Conditions.Scripted - return the value specified by a JSR-223 script
shibboleth.Conditions.Expression - return the value specified by an expression
Âshibboleth.Conditions.Predicate
shibboleth.Conditions.EntityDescriptor
shibboleth.Conditions.SubjectName
shibboleth.Conditions.AllowedSAMLPresenters
shibboleth.Conditions.IssuingDelegatedAssertion
Attribute Predicates
These predicates support decisions based on a subject's attributes that have been resolved (so far). All variants allow for either the filtered or unfiltered attributes to be consulted. Obviously these predicates are only valid after attribute resolution has taken place.
None of these currently have "shorthand" names and so their FQ Java classname has to be used.
net.shibboleth.idp.profile.logic.DateAttributePredicate - returns TRUE if the content of the provided attribute parses to a date which is later that the current time
net.shibboleth.idp.profile.logic.SimpleAttributePredicate - Matches the (all the) attributes' values against a lookup table (AttributeName, value)
net.shibboleth.idp.profile.logic.RegexAttributePredicate - applies a regularg expression against the values of a specified attibute
Other useful Predicate classes
These are not named beans, but the classes can be useful:
org.opensaml.profile.logic.IPRangePredicate
net.shibboleth.utilities.java.support.logic.StrategyIndirectedPredicate
net.shibboleth.ext.spring.util.SpringExpressionFunction
See Also
Functions
All Function beans are implementation of the Function interface, that is to say they are given a "thing" and return "some othre thing". Whilst this may sound of limited utili
Context Functions
shibboleth.MessageContextLookup.Inbound
shibboleth.ContextFunctions.Scripted
shibboleth.ContextFunctions.Expression
shibboleth.MessageContextLookup.Inbound
shibboleth.MessageContextLookup.Outbound
shibboleth.MessageLookup.SAMLObject
shibboleth.MessageLookup.AuthnRequest
Other Beans
shibboleth.Pair
shibboleth.CommaDelimStringArray
shibboleth.NonFailFastValidator
shibboleth.HttpServletRequest
shibboleth.HttpServletResponse