preventing attribute release for a class of users
liamr at umich.edu
Thu Sep 15 14:28:48 BST 2011
Here's my situation. Our shib installation uses our campus SSO for
authentication. Our campus sso has a guest account system. We don't
want our guests getting out into the wild appearing to InCommon SPs as
"real" UMich users.
Our current solution is disallow guest access to the IdP.
Enter some new campus SP, that want to use Shib, but have a need /
desire to allow both real and guest users, and are adamant that their
users don't know that they're being logged in through shib. So.. they
won't update their landing page to have different login links for
"Uniqnames" vs "Friends", and don't want to be directed to a WAYF (or
DS acting as a WAYF) because it would destroy the illusion.
My boss's proposed solution was to bring up a separate IdP for our
local federation, separating the InC aware IdP from the local fed, and
the local IdP from InC. That's a second installation we'd need to
maintain, and I'd rather not do it unless it's necessary.
My idea - our SSO identifies the guest accounts via an environment
variable in the server's environment. If I pass that to tomcat, could
I base an attribute on that, and use that to prevent any attribute
assertion for guest accounts outside of our local federation? (maybe
Is this possible?
More information about the users