Hi
Apologies for cross posting this to both Shib lists, but this was originally discussed on -Libraries before crossing over.

When the requirement to provide JSTOR with eduPersonEntitlement came about a number of us wanted to use a scriptlet that referenced the value of eduPersonAffiliation we had already computed.  ePA was generated from  directory attributes in a previous scriptlet and populated with member and staff/student and we wanted to do a simple test for "member" in ePA to generate ePE rather than duplicating the whole block of code again.

The example in the documentation at https://spaces.internet2.edu/display/SHIB/ScriptletAttributeDefinition  had a line in saying:

<AttributeDependency requires="urn:mace:dir:attribute-def:eduPersonAffiliation" />

which looked excellent, but then went on to say:

Attribute attribute = attributes.get("eduPersonAffiliation");

Was that going to use the previously derived ePA?  NO!  It was going off to the directory to get a value out of an attribute there!   All well and good if you have just stored this stuff in your directory, but we and many others haven't.   In our case we decide on "member" referring to 3 directory attributes.

Anyway, grateful thanks to Jethro Binks who had brought this reference to my attention:

http://www.bestgrid.org/index.php/Vladimir%27s_general_Shiboleth_notes

which amongst a lot of other useful stuff has a section from which I was able to write:


   ResolverAttribute affil = dependencies.getAttributeResolution("urn:mace:dir:attribute-def:eduPersonAffiliation");
   String affilStr = null;
    if (affil != null) 
   {
       Iterator i = affil.getValues();
       while (i.hasNext()) 
      { 
             affilstr = (String)i.next();
             if (affilstr=="member") 
            {
                     resolverAttribute.addValue("urn:mace:dir:entitlement:common-lib-terms");
            }
      }
   }

What this does is gets the ePA values into an Iterator which we can use to step through them, each value is converted to a string which is compared with the sought value of "member".

Some may argue that the above is more complex than recomputing the value of ePA all over again, but that may depend on how complex your decision on "member" is.   In any case it's nice to know how to do this now.

Cheers
Andy

BTW, we're now hitting nearly 1000 different users a day using our IdP to authenticate to resources, with over 5000 logins per day.  Over 6000 of our users had used the service at the beginning of this month and increasing (1000 more in the last 2 weeks of October when I last looked)


The University of Dundee is a registered Scottish charity, No: SC015096