Shibboleth Developers

[Etan Weintraub <>]

Well, I was thinking of something within the individual attributes, so you 
would call the LDAP query to get the root data, but then use the command line 
call (which I realize would be a bottleneck and slow things down, I'm just 
remembering the answers you've given when people asked for Perl support and 
thought this might be simple) for executing Perl script (or any script) on 
the values to do translations instead of the inline Javascript support that 
exists now. So, pulling from something I have in my current 
attribute-resolver.xml and modifying, something like this:

<resolver:AttributeDefinition id="eduPersonAffiliation" xsi:type="Executable" 
xmlns="urn:mace:shibboleth:2.0:resolver:ad" 
sourceAttributeID="eduPersonAffiliation">
        <resolver:Dependency ref="myLDAP" />
        
        <resolver:AttributeEncoder xsi:type="SAML1String" 
xmlns="urn:mace:shibboleth:2.0:attribute:encoder" 
name="urn:mace:dir:attribute-def:eduPersonAffiliation" />

        <resolver:AttributeEncoder xsi:type="SAML2String" 
xmlns="urn:mace:shibboleth:2.0:attribute:encoder" 
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" />

        <Executable 
Command="/usr/local/shibboleth-idp/scripts/edupersonaffiliation.pl">
                <Argument order=1 source="eduPersonAffiliation">
                <Argument order=2 source="entityID">
        </Executable>
</resolver:AttributeDefinition>

So, for a user with an eduPersonAffiliation of Staff and for an entityID of 
https://spaces.internet2.edu/shibboleth it would call an executable of:

/usr/local/shibboleth-idp/scripts/edupersonaffiliation.pl Staff 
https://spaces.internet2.edu/shibboleth

Then the resolver would take whatever string output came from that Perl 
script and make it the value for the eduPersonAffiliation in the resolver.

Make sense?

-Etan E. Weintraub
Team Leader - Enterprise Authentication
Senior Systems Engineer - Enterprise Directory
IT@Johns
 Hopkins
Johns Hopkins at Mt. Washington
5801 Smith Ave.
Suite 3110B
Baltimore, MD 21209
Phone: 410-735-7945
E-mail: 



-----Original Message-----
From: Chad La Joie 
[mailto:]
 
Sent: Wednesday, May 26, 2010 4:05 PM
To: 

Subject: Re: [Shib-Dev] [IdPv3] Attribute Resolver Work

Executing a native command is possible (Java has exec support), though 
my past experience (about a year ago) has shown that it's really very slow.

I think the hard part would be coming up with a way to express what 
sorts of arguments you wanted to pass the script, that is, how would you 
create the argument and interpolate the attribute values?  My initial 
thought would be to simply use the velocity language used to create the 
LDAP and Database queries.  So you'd create a template that evaluated to 
the argument string for the command.

Can you think of something else?

On 5/26/10 2:35 PM, Etan Weintraub wrote:
> Chad- Not sure how much work it would be, but one thing I would like
> to be considered is in addition to the Scriptlet handling of
> attributes, possibly something that will drop out to a command line
> executable (i.e. a Perl script) with arguments that would include
> attribute values or entityID's or anything else available to the
> request that would then return the value for the final attribute.
> This would allow for the frequently asked for Perl script support
> without having to actually support Perl in the XML, and with opening
> it up to pretty much any other code library an admin would want to
> use as long as they could make it a command line tool.


-- 
Chad La Joie
http://itumi.biz
trusted identities, delivered

Attachment: PGP.sig
Description: PGP signature