shibboleth-dev - Re: [Shib-Dev] hacking lastActivityInstant for point-in-time provisioning via the attribute resolver ?
Subject: Shibboleth Developers
List archive
Re: [Shib-Dev] hacking lastActivityInstant for point-in-time provisioning via the attribute resolver ?
Chronological Thread
- From: Tom Zeller <>
- To:
- Subject: Re: [Shib-Dev] hacking lastActivityInstant for point-in-time provisioning via the attribute resolver ?
- Date: Mon, 23 May 2011 10:32:05 -0600
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:content-type :content-transfer-encoding; b=cKGlBR1BX8c+W9iO47f/oRp6Sv/saFuAkFrQEIuHDENfLmrEsuAAbulnGQpZA+CEqA /ifGPRXzHTXeT9PJ61QxY14qYVD1SnyuLCL3J51+VIgYJIuni1w8y5pqeuBGJhvemAVX XPMYdAbOH7OH5TFdl+sohafx1cqOD46c9oDsU=
Does this code look correct for a custom grouper attribute query extension ?
https://spaces.internet2.edu/display/Grouper/AttributeQuery+UpdatedSince+Extension
Thanks for looking,
TomZ
> Right, thanks for the clue to customize AttributeQuery.
>
>> Probably not a good idea. ;)
>>
>> I think a better approach would be to define a custom <Extensions>
>> element and stick it in the AttributeQuery. That would work fine as
>> long as you control the code making the request (which I think is the
>> case here) and your data connector knows to look for it (which it would
>> since you wrote it).
>>
>> On 4/28/11 5:56 PM, Tom Zeller wrote:
>>> I imagine the response to my question is "probably not a good idea",
>>> but here goes ...
>>>
>>> Ideally, I would like to pass arbitrary data (a DateTime object or
>>> timestamp) into a AttributeRequestContext.
>>>
>>> I am using the attribute resolver for provisioning grouper via
>>> ldappcng, and I think I would like to supply a DateTime object to an
>>> AttributeAuthority when calculating attributes. The purpose of the
>>> DateTime object would be for Grouper's DataConnectors to return
>>> attributes based on Grouper's point-in-time auditing.
>>>
>>> Would it be a reasonable hack to co-opt a Session's
>>> lastActivityInstant ? The user session would never be used elsewhere,
>>> AFAIK.
>>>
>>> Pseudo-code follows :
>>>
>>> // a group or member identifier
>>> String ID = provisioningRequest.getID();
>>>
>>> // when a change occurred
>>> long when = provisioningRequest.getAuditTime();
>>>
>>> // create a context with principal name as the group or member identifier
>>> BaseSAMLProfileRequestContext attributeRequestContext = new
>>> BaseSAMLProfileRequestContext();
>>> attributeRequestContext.setPrincipalName(ID);
>>>
>>> // BEGIN HACK
>>> // pass a timestamp via user session
>>> SessionImpl userSession = new SessionImpl(null, null, 0);
>>> userSession.setLastActivityInstant(new DateTime(when));
>>> attributeRequestContext.setUserSession(userSession);
>>> // END HACK
>>>
>>> // get the attributes
>>> attributeAuthority.getAttributes(attributeRequestContext);
>>>
>>> And in the DataConnector
>>>
>>> String principalName =
>>> resolutionContext.getAttributeRequestContext().getPrincipalName();
>>> DateTime when =
>>> resolutionContext.getAttributeRequestContext().getUserSession().getLastActivityInstant();
>>> Group group = PITGroupFinder.findByName(principalName, when ...)
>>>
>>> TomZ
>>>
>>
>> --
>> Chad La Joie
>> http://itumi.biz
>> trusted identities, delivered
>>
>
- Re: [Shib-Dev] hacking lastActivityInstant for point-in-time provisioning via the attribute resolver ?, Tom Zeller, 05/23/2011
- Re: [Shib-Dev] hacking lastActivityInstant for point-in-time provisioning via the attribute resolver ?, Brent Putman, 05/23/2011
Archive powered by MHonArc 2.6.16.