Hi
Right, now I have a _real_ problem.
I have the following script:
<resolver:AttributeDefinition id="eduPersonEntitlement" xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad" >
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:mace:dir:attribute-def:eduPersonEntitlement" />
<resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" />
<Script> <![CDATA[
importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
eduPersonEntitlement = new BasicAttribute("eduPersonEntitlement");
if (groupMembership != null)
{
group0 = groupMembership.getValues().get(0).toLowerCase();
eduPersonEntitlement.getValues().add(group0);
}
]]>
</Script>
</resolver:AttributeDefinition>
OK, I know I wouldn't normally just stuff a group membership value in ePE but its a convenient way to see what its doing.
This works perfectly well if I login as me, I have group memberships and the first one is there in my ePE when I go to an SP.
If I login with a user who has no group memberships it throws an exception! Surely the "if (groupMembership != null)" line should stop that happening? But in the logs is
com.sun.phobos.script.util.ExtendedScriptException: org.mozilla.javascript.EcmaError: ReferenceError: "groupMembership" is not defined. (<Unknown Source>#3) in <Unknown Source> at line number 3
This is almost identical to the example for ePA in the wiki: https://spaces.internet2.edu/display/SHIB2/ResolverScriptAttributeDefinition :
if (memberOf != null ){
student = false;
faculty = false;
staff = false;
Am I missing something here?
Andy
The University of Dundee is a registered Scottish charity, No: SC015096
|