preventing attribute release for a class of users

Cantor, Scott cantor.2 at
Thu Sep 15 15:47:06 BST 2011

On 9/15/11 10:34 AM, "Scott Cantor" <cantor.2 at> wrote:
>But to be clear, what you suggested won't work. You asked if you could
>prevent attribute release for those users. Sure, but so what? You've
>already authenticated them and you just said that the services only care
>about authentication. So it's authentication you have to block, not the

Adding to this, what you really are trying to do is essentially what sites
using google have to do to limit access by unprovisioned users. You have
to build authorization into your IdP and block successful responses for
users that don't have access to the SP. You're essentially just taking on
their job.

That requires a custom login module or some other kind of extension to
enforce the access and then either return a SAML error or just trap the
user there.

The login module I added to the contributions page has a set of functions
for doing that, and I believe other IdPs have done it. I know Brendan at
USC argues for that model a lot, so I imagine they probably have something
in place for that.

It is not about attribute release, but interrupting the SSO profile flow.

-- Scott

More information about the users mailing list