shibboleth-dev - AA design
Subject: Shibboleth Developers
List archive
- From: Parviz Dousti <>
- To:
- Subject: AA design
- Date: Fri, 17 May 2002 14:41:07 -0400
Folks,
There was some interest past Monday to talk about how the attribute values are fetched by (or provided to) AA. I guess the objective here is to implement this to be quite flexible and yet work out of the box for the most straight forward cases.
I explain how the current implementation works and we go from there. This might be useful for documentation too.
When AAServlet starts up, it creates a AAResponder object. Among arguments past to constructor of this object is an object called "Context" which would be used for getting attribute values. Context is created by a plugin (a Java class). Name of this plugin is given to the servlet as a parameter. Plugin must implement "javax.naming.spi.InitialContextFactory". The Context that plugin creates must implement "javax.naming.directory.DirContext" interface. Plugin must also implement "javax.naming.directory.Attribute" and "javax.naming.directory.Attributes". Our default plugin is the one provided by Sun called "com.sun.jndi.ldap.LdapCtxFactory".
At this point an initial Context is created and kept around by servlet engine. This allows for good performance as the "connection" to the directory or database or whatever is done once.
Once AA gets a request for a given user it needs to change the Context to this user's context. In ldap terminology it needs to move from e.g. "ou=person, dc=myUniversity ,dc=edu" to "uid=user, ou=person, dc=myUniversity, dc=edu". In SQL terms it might need to create a result set that holds this users attributes, etc. This operation is done by calling the "lookup" method of the Context and passing in a string like "uid=user" .
Now AA works on ARPs and comes up with a set of ArpAttribute objects. For each one of these objects it calls their "getDirAttribute" method and passes in the Context. This method in turn calls the "getAttributes" method of the Context and also passes in the name of the attribute. At this point Context can do what ever it likes to obtain a set of values for this attribute. Our default Context simply looks up Ldap to get the values.
Values are returned to AAResponder which creates an Array of SAMLAttributes.
This would work out of the box for sites that use LDAP and user is identified by uid which is kept in the Handle. All one needs to do is set 2 parameters in AAServlet. One would look like
dirUrl = ldap://metadir.andrew.cmu.edu/ou=person,dc=myUniversity,
dc=edu
and
ldapUserDnPhrase = uid
I could not use the default for CMU as here a Person is identified by a guid (a very long number) but one authenticates by an Account ID (mine is ). I had to write my own plugin to get around this. The only thing I really had to implement was the "lookup" method which did a search on account ID and found the Guid. Then set the context to guid=xxxx. Plugin is very simple and can be seen in the src directory (files CmuCtxFactory.java and CmuDirContext.java).
I also provided a plugin to get the attribute values from a SQL database. You have seen this in ArpUtil. It is pretty crude but it is just to demonstrate how thing like that can be done.
Hope this helps,
Parviz
------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at
http://archives.internet2.edu/
------------------------------------------------------mace-shib-design--
- AA design, Parviz Dousti, 05/17/2002
Archive powered by MHonArc 2.6.16.