Grouper Users - Open Discussion List

[Tom Zeller <>]

So I understand, what do you think the problem is between lines 199-200 ?

The MemberDataConnector

<resolver:DataConnector id="MemberDataConnector2"
xsi:type="grouper:MemberDataConnector">
  <grouper:Attribute id="groups" />
</resolver:DataConnector>

returns one attribute with id "groups" whose value is all of the
grouper Group objects (class edu.internet2.middleware.grouper.Group)
that the principal "10101" is a member of.

2011-09-22 14:47:17,288 DEBUG
[edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnector:253]
- resolve '10101' dc 'MemberDataConnector2' 'groups' :
Group[name=pkuid:faculty:cc,uuid=8cb08ed56aec4638beb3f4fa112d8e8a]

The GroupAttributeDefinition

<resolver:AttributeDefinition id="isMemberOf" xsi:type="grouper:Group"
sourceAttributeID="groups" >
  <resolver:Dependency ref="MemberDataConnector2" />
<grouper:Attribute id="name" />

returns one attribute with id "isMemberOf" whose value is the "name"
of all of the grouper Group objects (from the "groups" attribute). The
GroupAttributeDefinition "converts" grouper Group objects to shib
attributes.

Looks ok to me, and the logs seem to confirm that the desired
attributes are returned properly from the attribute resolver.

On Thu, Sep 22, 2011 at 3:47 AM, Jie Lv 
<>
 wrote:
> I checked the source code for
> edu.internet2.middleware.grouper.Group.MemberDataConnector
>
> Below is from line 190 to line 202 of the code.
> 190        MemberDataConnector.LOG.debug("resolve {} subjectIDs {}", msg,
> MemberDataConnector.this.getSubjectAttributeIdentifiers());
> 191        for (AttributeIdentifier attributeIdentifier :
> MemberDataConnector.this.getSubjectAttributeIdentifiers()) {
> 192          MemberDataConnector.LOG.debug("resolve {} member {} field {}",
> new Object[] { msg, member, attributeIdentifier });
> 193          if
> (subject.getSourceId().equals(attributeIdentifier.getSource()))
> 194          {
> 195            if (attributeIdentifier.getId().equals("name")) {
> 196              String name = subject.getName();
> 197              if (name != null) {
> 198                BasicAttribute nameAttribute = new
> BasicAttribute("name");
> 199                nameAttribute.setValues(GrouperUtil.toList(new String[] {
> name }));
> 200                attributes.put(nameAttribute.getId(), nameAttribute);
> 201              }
> 202            }
>
> It seems to me that maybe something went wrong between line 199 and line
> 200.
>
> Jie
> -----Original Message-----
> From: 
> 
> [mailto:]
>  On Behalf Of Peter Schober
> Sent: Thursday, September 22, 2011 4:13 PM
> To: 
> 
> Subject: Re: [grouper-users] Problem with configuration of Grouper Plugin
> for Shibboleth
>
> * Jie Lv 
> <>
>  [2011-09-22 10:04]:
>> 2011-09-22 15:57:28,989 DEBUG
>>
> [edu.internet2.middleware.grouper.shibboleth.attributeDefinition.GroupAttrib
>> uteDefinition:94] - resolve '10101' ad 'isMemberOf' value
> 'pkuid:faculty:cc'
>
> Not having seen Grouper's shib plugin before I would assume that to
> mean that there is indeed a value for isMemberOf (btw, should that be
> "as" in the log message, instead of "ad" above?).
>
>> 2011-09-22 15:57:29,060 INFO [Shibboleth-Audit:898] -
>>
> 20110922T075729Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_493b006
>> 27
>>
> 8b68a310c35a6d8f95bb93f|https://sp-chat.zzu6.edu.cn/shibboleth-sp/carsifed|u
>> rn:mace:shibboleth:2.0:profiles:saml2:sso|https://idp2.p
>>
> ku.edu.cn/idp/shibboleth/carsifed|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-
>> POST|_5e5be99e8bd569b99822e87506d849c8|10101|urn:oasis:n
>>
> ames:tc:SAML:2.0:ac:classes:unspecified|isMemberOf,transientId,carsifed:user
>> name,|||
>
> And this usually would mean that the attribute isMemberOf was in fact
> released (the IdP usually filters our empty attributes which, again,
> would hint at the existing value).
> But obviously it's not part of the attribute statement you posted,
> which looks like a bug somewhere (the IdP should not be logging it
> sent isMemberOf in the audit.log when in fact it didn't).
>
>> Still, it seems to me that Grouper Plugin could get isMemberOf
>> attribute, but IdP failed to release it to SP.
>
> I guess Tom will need to take this up with the Shib developers.
> -peter
>
>