The Shibboleth IdP V4 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only. See the IDP5 wiki space for current documentation on the supported version.

PreRequestedAttributes

The AttributeContext, which contains the results of the attribute resolution, cannot be and is not populated into the context tree until attribute resolution has completed. This means that ActivationConditions for DataConnectors or AttributeDefinitions cannot depend on the AttributeContext's contents.

To work around this, the resolver can be instructed to resolve a limited set of attributes (and their dependencies) and place the results into an "intermediate" AttributeContext which is stored under the resolution context.  A SimpleAttributePredicate (or any other suitable condition object), customized to locate this intermediate AttributeContext, can then be used as an activation condition. A predefined bean named shibboleth.ChildLookup.PreRequestedAttributeContext is provided for this purpose.

You should bear the following in mind:

  • The intermedate AttributeContext is populated with all pre-requested attributes (and any dependent attribute definitions) regardless of whether the definition is defined as being a dependency-only plugin.

  • The results of any data connector's resolution are only available if a pre-requested attribute exposes them.

  • The pre-requested Attributes and all their dependencies are resolved during the pre-request resolution phase. You need to ensure that the DataConnector or Attribute Definition you are guarding with the activation condition does not get resolved 'by accident'.

  • An activation condition can determine whether the resolution is for a pre-requested Attribute (or its dependency) or not by looking for the child AttributeContext . There will always be a child AttributeContext (even if empty) during main resolution, but there will never be one during pre-request resolution.

  • AttributeDefinitions and DataConnectors are only resolved once, either during the pre-request pass or during "normal resolution".

Example

Predicate for PreRequested Attributes
<bean id="MyCondition" class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate" p:attributeContextLookupStrategy-ref="shibboleth.ChildLookup.PreRequestedAttributeContext"> <property name="attributeValueMap"> <!-- Usual configuration elided --> </property> </bean>
Defining a preRequested Attibute
<AttributeDefinition xsi:type="Simple" id="preRequested" preRequested="true" dependencyOnly="true"> <InputDataConnector ref="MyDataConnextor" attributeNames="PreRequest"/> </AttributeDefinition>