Grouper Users - Open Discussion List

["Jie Lv" <>]

So I understand, what do you think the problem is between lines 199-200 ?
---
Line 199 is:
nameAttribute.setValues(GrouperUtil.toList(new String[] { name }));
I don't quite understand why you're using GrouperUtil.toList( ) instead of
Java Util classess to construct a list?

Originally I was using Shib IdP version 2.1.1. I thought the problem might
have something to do with the fact that Shib IdP version was too old. Now I
switched to use Shib IdP version 2.3.3, the latest version. The problem are
exactly the same.

I examined your code for MemberDataConnector. I found that both line 257 and
261 are the same " return attributes; ".
The log information in idp-process.log is given by code from line 249 to
256, just before line 257. But line 257 is the return value of the function
below:
public Map<String, BaseAttribute> callback(GrouperSession grouperSession)

And line 261 is the return value of the function below:
public Map<String, BaseAttribute> resolve(ShibbolethResolutionContext
resolutionContext)

The variable "attributes" in line 261, INSTEAD OF the variable in line 257 ,
is the value to be used by Shibboleth.
I'm not quite sure why you wrote the code like this. 
But I wonder if you could insert the code for logging before line 261 to
check if the return value for function resolve() is correct?


Jie
-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Tom Zeller
Sent: Friday, September 23, 2011 12:23 AM
To: Jie Lv
Cc: 

Subject: Re: [grouper-users] Problem with configuration of Grouper Plugin
for Shibboleth

So I understand, what do you think the problem is between lines 199-200 ?

The MemberDataConnector

<resolver:DataConnector id="MemberDataConnector2"
xsi:type="grouper:MemberDataConnector">
  <grouper:Attribute id="groups" />
</resolver:DataConnector>

returns one attribute with id "groups" whose value is all of the
grouper Group objects (class edu.internet2.middleware.grouper.Group)
that the principal "10101" is a member of.

2011-09-22 14:47:17,288 DEBUG
[edu.internet2.middleware.grouper.shibboleth.dataConnector.MemberDataConnect
or:253]
- resolve '10101' dc 'MemberDataConnector2' 'groups' :
Group[name=pkuid:faculty:cc,uuid=8cb08ed56aec4638beb3f4fa112d8e8a]

The GroupAttributeDefinition

<resolver:AttributeDefinition id="isMemberOf" xsi:type="grouper:Group"
sourceAttributeID="groups" >
  <resolver:Dependency ref="MemberDataConnector2" />
<grouper:Attribute id="name" />

returns one attribute with id "isMemberOf" whose value is the "name"
of all of the grouper Group objects (from the "groups" attribute). The
GroupAttributeDefinition "converts" grouper Group objects to shib
attributes.

Looks ok to me, and the logs seem to confirm that the desired
attributes are returned properly from the attribute resolver.

On Thu, Sep 22, 2011 at 3:47 AM, Jie Lv 
<>
 wrote:
> I checked the source code for
> edu.internet2.middleware.grouper.Group.MemberDataConnector
>
> Below is from line 190 to line 202 of the code.
> 190        MemberDataConnector.LOG.debug("resolve {} subjectIDs {}", msg,
> MemberDataConnector.this.getSubjectAttributeIdentifiers());
> 191        for (AttributeIdentifier attributeIdentifier :
> MemberDataConnector.this.getSubjectAttributeIdentifiers()) {
> 192          MemberDataConnector.LOG.debug("resolve {} member {} field
{}",
> new Object[] { msg, member, attributeIdentifier });
> 193          if
> (subject.getSourceId().equals(attributeIdentifier.getSource()))
> 194          {
> 195            if (attributeIdentifier.getId().equals("name")) {
> 196              String name = subject.getName();
> 197              if (name != null) {
> 198                BasicAttribute nameAttribute = new
> BasicAttribute("name");
> 199                nameAttribute.setValues(GrouperUtil.toList(new String[]
{
> name }));
> 200                attributes.put(nameAttribute.getId(), nameAttribute);
> 201              }
> 202            }
>
> It seems to me that maybe something went wrong between line 199 and line
> 200.
>
> Jie
> -----Original Message-----
> From: 
> 
> [mailto:]
>  On Behalf Of Peter Schober
> Sent: Thursday, September 22, 2011 4:13 PM
> To: 
> 
> Subject: Re: [grouper-users] Problem with configuration of Grouper Plugin
> for Shibboleth
>
> * Jie Lv 
> <>
>  [2011-09-22 10:04]:
>> 2011-09-22 15:57:28,989 DEBUG
>>
>
[edu.internet2.middleware.grouper.shibboleth.attributeDefinition.GroupAttrib
>> uteDefinition:94] - resolve '10101' ad 'isMemberOf' value
> 'pkuid:faculty:cc'
>
> Not having seen Grouper's shib plugin before I would assume that to
> mean that there is indeed a value for isMemberOf (btw, should that be
> "as" in the log message, instead of "ad" above?).
>
>> 2011-09-22 15:57:29,060 INFO [Shibboleth-Audit:898] -
>>
>
20110922T075729Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_493b006
>> 27
>>
>
8b68a310c35a6d8f95bb93f|https://sp-chat.zzu6.edu.cn/shibboleth-sp/carsifed|u
>> rn:mace:shibboleth:2.0:profiles:saml2:sso|https://idp2.p
>>
>
ku.edu.cn/idp/shibboleth/carsifed|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-
>> POST|_5e5be99e8bd569b99822e87506d849c8|10101|urn:oasis:n
>>
>
ames:tc:SAML:2.0:ac:classes:unspecified|isMemberOf,transientId,carsifed:user
>> name,|||
>
> And this usually would mean that the attribute isMemberOf was in fact
> released (the IdP usually filters our empty attributes which, again,
> would hint at the existing value).
> But obviously it's not part of the attribute statement you posted,
> which looks like a bug somewhere (the IdP should not be logging it
> sent isMemberOf in the audit.log when in fact it didn't).
>
>> Still, it seems to me that Grouper Plugin could get isMemberOf
>> attribute, but IdP failed to release it to SP.
>
> I guess Tom will need to take this up with the Shib developers.
> -peter
>
>