Attributes#
External attribute validator#
If the capabilities provided by regular expression input value conversion rules are not sufficient to implement the required business logic for validating the acceptability of an attribute value, the use of an external validator can be programmed and configured for the attribute.
To do this, you need to create a program with an external validator and build it into a JAR file.
The created JAR file should be copied to the servers with Blitz Identity Provider applications. The JAR file location address should be specified in the Java option extensionsDir.
Example:
export JAVA_OPTS="${JAVA_OPTS} -DextensionsDir=/usr/share/identityblitz/extensions"
In the blitz.prod.local.idp.id-attrs.attrsMeta attribute settings block, you must add validators block in the source block to the attribute description block for which you want to enable validation via an external validator:
in the
classNamesetting, specify the address of the Java class that implements theAttributeValidatorinterface from the Blitz JDK;in the
confblock, specify the settings to be passed to the validator.
Example of configuration:
"id-attrs" : {
"attrsMeta" : [
{
{
"class" : "verified-mobile",
"format" : "string",
"name" : "phone_number",
"realmed" : false,
"required" : false,
"searchable" : true,
"source" : {
"validators" : [
{
"className" : "validator.MobileValidator",
"conf" : {
"conf1" : "value1"
}
}
],
"type" : "idStore"
},
"unique" : false
},
…
}
]
}
Attribute translator#
You can associate a translator with an attribute that describes the attribute’s conversion rules for reading from the LDAP directory and writing to the LDAP directory. In the attribute storage settings block in the blitz.prod.local.idp.id-stores.list.mappingRules section of the attribute matching settings, in the attribute description block for which you want to enable a translator, you must add the translator block with the className setting, in which you must specify the name of the Java class that implements the translation algorithm. The Java class must implement the implementation of the LdapAttributeTranslator interface from the Blitz JDK.
For some attributes from Active Directory, Blitz Identity Provider provides built-in Java classes:
If you need to configure a translator for the
objectGUIDattribute from Active Directory so that this attribute is represented as a GUID string rather than in byte form, use thecom.identityblitz.idp.store.ldap.core.translator.ObjectGUIDTranslatorJava class.Example of configuration:
"id-stores" : { "list" : [ { … "mappingRules" : [ … { "name" : "objectGUID", "storeAttr" : "objectGUID", "translator" : { "className" : "com.identityblitz.idp.store.ldap.core.translator.ObjectGUIDTranslator" } } ], }, … ] }If you need to configure a translator for the
objectSIDattribute to convert it to the string form, use the``com.identityblitz.idp.store.ldap.core.translator.ObjectSIDTranslator`` Java class. The converted attribute is searchable, but theLIKEoperation is not supported. It cannot be modified or set at creation.Example of configuration:
"id-stores" : { "list" : [ { … "mappingRules" : [ … { "name": "objectSID", "storeAttr": "objectSID", "translator": { "className": "com.identityblitz.idp.store.ldap.core.translator.ObjectSIDTranslator" } } ], }, … ] }
Using a self-developed translator, it is necessary to create a program with an external translator and assemble it into a JAR file.
The created JAR file should be copied to the servers with Blitz Identity Provider applications. The JAR file location address should be specified in the Java option extensionsDir.
Example:
export JAVA_OPTS="${JAVA_OPTS} -DextensionsDir=/usr/share/identityblitz/extensions"