Are there any built-in attributes passed to AttributeManager?
ndrw_cheung Nov 8, 2012 9:28 AMHi. I have developed a Custom AttributeManager which retrieves attributes for a user using LDAP from eDirectory. I understand that we specify the attributes to be passed from IDP from SP in the picketlink.xml file on the IDP side (see below in green), but when I put in debugging statements in my Custom Attribute Manager, I found that there are a set of attributes passed to the Attribute Manager that are NOT specified in my list of attributes (see below in red). My questions are : Where do these attributes come from? Who pass them in? Are they built-in? (I'm pretty sure it wasn't in my code or configurations knowingly because some of the names of these unexpected attributes are not used in our eDirectory at all). Is there a way to change them?
Thanks for answering.
-Andrew
---------------------------------------
Details about my setup and code snippets are as follows:
My setup:
-PicketLink version 2.1.4
-IDP runs on tomcat (version 6.0.35), uses JNDIRealm that interacts with eDirectory.
-Users are stored in eDirectory. The roles are stored in an attribute in the user object.
-SP runs on JBoss EPP 5.2.1.
----------------
picketlink.xml on IDP side:
<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
<PicketLinkIDP xmlns="urn:picketlink:identity-federation:config:2.1" StrictPostBinding="true" AttributeManager="demo.eDirAttributeManager">
<IdentityURL>http://localhost:8180/IDP/</IdentityURL>
<Trust>
<Domains>localhost,jboss.com,jboss.org,amazonaws.com</Domains>
</Trust>
</PicketLinkIDP>
<Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2IssuerTrustHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler" />
<Handler
class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler" />
<Handler class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AttributeHandler">
<!-- Option Key="ATTRIBUTE_MANAGER" Value="org.picketlink.identity.federation.bindings.tomcat.TomcatAttributeManager"/>
-->
<Option Key="ATTRIBUTE_MANAGER" Value="com.brookfieldres.SAML2.eDirAttributeManager"/>
<Option Key="ATTRIBUTE_KEYS" Value="cn,mail,title"/>
</Handler>
</Handlers>
<!--
The configuration bellow defines a token timeout and a clock skew. Both configurations will be used during the SAML Assertion creation.
This configuration is optional. It is defined only to show you how to set the token timeout and clock skew configuration.
-->
<PicketLinkSTS xmlns="urn:picketlink:identity-federation:config:1.0" TokenTimeout="5000" ClockSkew="0">
<TokenProviders>
<TokenProvider
ProviderClass="org.picketlink.identity.federation.core.saml.v1.providers.SAML11AssertionTokenProvider"
TokenType="urn:oasis:names:tc:SAML:1.0:assertion"
TokenElement="Assertion" TokenElementNS="urn:oasis:names:tc:SAML:1.0:assertion" />
<TokenProvider
ProviderClass="org.picketlink.identity.federation.core.saml.v2.providers.SAML20AssertionTokenProvider"
TokenType="urn:oasis:names:tc:SAML:2.0:assertion"
TokenElement="Assertion" TokenElementNS="urn:oasis:names:tc:SAML:2.0:assertion" />
</TokenProviders>
</PicketLinkSTS>
</PicketLink>
------------------
context.xml :
<Context>
<Realm className="org.apache.catalina.realm.JNDIRealm" allRolesMode="strict" connectionName="cn=myuser,o=com" connectionPassword="hello123" connectionURL="ldap://MY_TREE:389" userBase="o=com" userRoleName="EmployeeTypeCt" userSearch="(cn={0})" userSubtree="true"/>
<Valve
className="org.picketlink.identity.federation.bindings.tomcat.idp.IDPSAMLDebugValve" />
<Valve
className="org.picketlink.identity.federation.bindings.tomcat.idp.IDPWebBrowserSSOValve" ignoreAttributesGeneration="false"/>
</Context>
------------------
eDirAttributeManager.java :
[code snipped]
public Map<String, Object> getAttributes(Principal userPrincipal, List<String> attributeKeys) {
Map<String, Object> result = null;
String cn = userPrincipal.getName();
String[] attributes = attributeKeys.toArray(new String[0]);
String[] arrMappedAttributes = new String[attributes.length];
int i=0;
for (String tmpAttribute : attributes) {
_Logger.info("DEBUG : looping through attributes : tmpAttribute = " + tmpAttribute);
String mappedAttribute = "";
}
...code to retrieve attributes from eDir
-------------------------
In the server.log on the IDP side :
2012-11-08 08:59:26,571 INFO [demo.eDirAttributeManager] (http-8180-2) DEBUG : looping through attributes : tmpAttribute = mail
2012-11-08 08:59:26,572 INFO [demo.eDirAttributeManager] (http-8180-2) DEBUG : looping through attributes : tmpAttribute = cn
2012-11-08 08:59:26,573 INFO [demo.eDirAttributeManager] (http-8180-2) DEBUG : looping through attributes : tmpAttribute = commonname
2012-11-08 08:59:26,573 INFO [dmeo.eDirAttributeManager] (http-8180-2) DEBUG : looping through attributes : tmpAttribute = givenname
2012-11-08 08:59:26,574 INFO [demo.eDirAttributeManager] (http-8180-2) DEBUG : looping through attributes : tmpAttribute = surname
2012-11-08 08:59:26,574 INFO [dmeo.eDirAttributeManager] (http-8180-2) DEBUG : looping through attributes : tmpAttribute = employeeType
2012-11-08 08:59:26,575 INFO [demo.eDirAttributeManager] (http-8180-2) DEBUG : looping through attributes : tmpAttribute = employeeNumber
2012-11-08 08:59:26,576 INFO [demo.eDirAttributeManager] (http-8180-2) DEBUG : looping through attributes : tmpAttribute = facsimileTelephoneNumber