Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Namespace: urn:mace:shibboleth:2.0:resolver
Schema: http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd

Overview

The ScriptedDataConnector data connector allows the creation of multiple IdPAttribute objects via a JSR-223 script. Scripts are somewhat easier to write and maintain than native Java code, though they are slower. They can also be changed dynamically since the resolver is a ReloadableService.

Script Context

The script "context" defines the execution environment for the script and provides the following variables:

  • resolutionContext

    • AttributeResolutionContext for the current resolution step, which exists within the tree of state information that tracks the current request

  • connectorResults

    • List which the connector populates with IdPAttribute objects and which form the output of the connector

  • profileContext

  • custom

    • Contains whatever bean was referenced by the customObjectRef XML Attribute

  • subjects

    • Array of Subject objects associated with this request. Note that these will only be present if the attribute resolution is associated with a completed authentication step (so is not present for back channel requests or certain other cases).

In addition, each defined dependency of the connector, it exists, will be present via an object which implements ScriptedIdPAttribute.

For an AttributeDefinition dependency, that IdPAttribute is supplied. For a DataConnector dependency, each IdPAttribute produced by that connector is supplied.

The variable's name will be the attribute ID of the attribute from the dependency. In the event that more than one dependency produces attributes with the same ID, the values of all of those attributes are merged and made available to the script.

Note that any changes made to these dependency objects within the script will not be reflected in the result of the resolution process. In contrast, changes made to other objects accessed by means of the other variables in most cases will cause side effects, and should usually be avoided.

Reference

 Specific XML Attributes

Name

Type

Default

Description

language

string

JavaScript

Defines the JSR-223 language to use. The default is ECMA script using either the Rhino (Java 7) or Nashorn (Java 8+) engines.

This situation is in flux due to the removal of Nashorn from future Java versions, and plugins are available for V4.1+ that supply one of these options at the deployer's discretion.

customObjectRef

string


The name of a Spring Bean defined elsewhere. This bean will be made available to the script with the name "custom".

 Specific XML Elements

The following XML Elements are specific to this connector, and one of them must be supplied:

Name

Description

<Script>

The contents define the script to execute, usually wrapped in an XML CDATA block to avoid escaping

<ScriptFile>

The contents define a file which contains the script to execute

 Common XML Attributes

Name

Type

Default

Description

id

String


Identifier for the DataConnector. This is used for logging, to establish dependencies, and as a target for failover.

activationConditionRef

Bean ID


Bean ID of a condition to decide whether to resolve this connector, see here.
Mutually exclusive with relyingParties and resolutionPhases and variants

relyingParties

Space-delimited list


List of entity IDs for which this connector should be resolved.
Mutually exclusive with activationConditionRef

excludeRelyingParties

Space-delimited list


List of entity IDs for which this connector should not be resolved.
Mutually exclusive with activationConditionRef

resolutionPhases

Space-delimited list


List of resolution phases (i.e. flows) during which this connector should be resolved.
Mutually exclusive with activationConditionRef

excludeResolutionPhases

Space-delimited list


List of resolution phases (i.e. flows) during which this connector should not be resolved.
Mutually exclusive with activationConditionRef

exportAttributes

Space-delimited list


List of attributes produced by the DataConnector that should be directly exported as resolved IdPAttributes without requiring actual AttributeDefinitions.

In the case of a name clash (a DataConnector exports an attribute with the same name as an AttributeDefinition, or another DataConnector exports the same attribute) the DataConnector attribute is NOT added and a warning issued.

noRetryDelay

Duration

0

Time between retries of a failed DataConnector (during the interval, failure is just assumed when the connector is run and no actual connection is attempted)

propagateResolutionExceptions

Boolean

true

Whether connector/plugin failure is fatal to the entire attribute resolution process.
If this is set to false the error is logged and the data connector returns no attributes.

 Common XML Elements

Name

Cardinality

Description

<InputAttributeDefinition>

0 or more

This element identifies an attribute definition which is an input to this data connector

<InputDataConnector>

0 or more

This element identifies a data connector whose attributes are to be input to this data conector

<FailoverDataConnector>   

0 or 1

This element has a single attribute ref="whatever" whose content is the identifier of a data connector to resolve if this data connector fails (for instance due to the external data source being unavailable)

Examples

Nashorn Scripted Data Connector
<DataConnector id="ScriptedAttributeConnector" xsi:type="ScriptedDataConnector">
	<Script><![CDATA[
IdPAttribute = Java.type("net.shibboleth.idp.attribute.IdPAttribute");
StringAttributeValue = Java.type("net.shibboleth.idp.attribute.StringAttributeValue");
HashSet = Java.type("java.util.HashSet");
Integer = Java.type("java.lang.Integer");

attr = new IdPAttribute("ScriptedOne");
set = new HashSet(2);
set.add(new StringAttributeValue("Value 1"));
set.add(new StringAttributeValue("Value 2"));
attr.setValues(set);
connectorResults.add(attr);

attr = new IdPAttribute("TwoScripted");
set = new HashSet(3);
set.add(new StringAttributeValue("1Value"));
set.add(new StringAttributeValue("2Value"));
set.add(new StringAttributeValue("3Value"));
attr.setValues(set);
connectorResults.add(attr);
	]]></Script>
</DataConnector>

This Rhino example is a hold over from older versions but may be useful in the future once it becomes a supported option again.

Rhino Scripted Data Connector
<DataConnector id="ScriptedAttributeConnector" xsi:type="ScriptedDataConnector">
	<Script><![CDATA[
importPackage(Packages.net.shibboleth.idp.attribute);
importPackage(Packages.java.util);
importPackage(Packages.java.lang);

attr = new IdPAttribute("ScriptedOne");
set = new HashSet(2);
set.add(new StringAttributeValue("Value 1"));
set.add(new StringAttributeValue("Value 2"));
attr.setValues(set);
connectorResults.add(attr);
attr = new IdPAttribute("TwoScripted");
set = new HashSet(3);
set.add(new StringAttributeValue("1Value"));
set.add(new StringAttributeValue("2Value"));
set.add(new StringAttributeValue("3Value"));
attr.setValues(set);
connectorResults.add(attr);
	]]></Script>
</DataConnector>

  • No labels