shibboleth-dev - Re: [Shib-Dev] hacking lastActivityInstant for point-in-time provisioning via the attribute resolver ?
Subject: Shibboleth Developers
List archive
Re: [Shib-Dev] hacking lastActivityInstant for point-in-time provisioning via the attribute resolver ?
Chronological Thread
- From: Chad La Joie <>
- To:
- Subject: Re: [Shib-Dev] hacking lastActivityInstant for point-in-time provisioning via the attribute resolver ?
- Date: Thu, 28 Apr 2011 18:13:07 -0400
- Organization: Itumi, LLC
Probably not a good idea. ;)
I think a better approach would be to define a custom <Extensions>
element and stick it in the AttributeQuery. That would work fine as
long as you control the code making the request (which I think is the
case here) and your data connector knows to look for it (which it would
since you wrote it).
On 4/28/11 5:56 PM, Tom Zeller wrote:
> I imagine the response to my question is "probably not a good idea",
> but here goes ...
>
> Ideally, I would like to pass arbitrary data (a DateTime object or
> timestamp) into a AttributeRequestContext.
>
> I am using the attribute resolver for provisioning grouper via
> ldappcng, and I think I would like to supply a DateTime object to an
> AttributeAuthority when calculating attributes. The purpose of the
> DateTime object would be for Grouper's DataConnectors to return
> attributes based on Grouper's point-in-time auditing.
>
> Would it be a reasonable hack to co-opt a Session's
> lastActivityInstant ? The user session would never be used elsewhere,
> AFAIK.
>
> Pseudo-code follows :
>
> // a group or member identifier
> String ID = provisioningRequest.getID();
>
> // when a change occurred
> long when = provisioningRequest.getAuditTime();
>
> // create a context with principal name as the group or member identifier
> BaseSAMLProfileRequestContext attributeRequestContext = new
> BaseSAMLProfileRequestContext();
> attributeRequestContext.setPrincipalName(ID);
>
> // BEGIN HACK
> // pass a timestamp via user session
> SessionImpl userSession = new SessionImpl(null, null, 0);
> userSession.setLastActivityInstant(new DateTime(when));
> attributeRequestContext.setUserSession(userSession);
> // END HACK
>
> // get the attributes
> attributeAuthority.getAttributes(attributeRequestContext);
>
> And in the DataConnector
>
> String principalName =
> resolutionContext.getAttributeRequestContext().getPrincipalName();
> DateTime when =
> resolutionContext.getAttributeRequestContext().getUserSession().getLastActivityInstant();
> Group group = PITGroupFinder.findByName(principalName, when ...)
>
> TomZ
>
--
Chad La Joie
http://itumi.biz
trusted identities, delivered
- [Shib-Dev] hacking lastActivityInstant for point-in-time provisioning via the attribute resolver ?, Tom Zeller, 04/28/2011
- Re: [Shib-Dev] hacking lastActivityInstant for point-in-time provisioning via the attribute resolver ?, Chad La Joie, 04/28/2011
Archive powered by MHonArc 2.6.16.