AW: Release different value for affiliation based on service provider
Christopher Bongaarts
cab at umn.edu
Wed Nov 14 11:16:30 EST 2012
This is what we do as well. The only place I can think of where you
would have to push the logic back into the resolver is if a specific
user's *value* of the attribute depends on the SP, as opposed to the
idea of releasing specific values that are otherwise constant per-user.
On 11/14/2012 2:29 AM, Ortner Nikolaus wrote:
> You could also use a single attribute (uh_eduPersonAffiliation) with the full information (faculty, staff, student) and have the filter sort it out.
>
> Something like:
> ===== conf/attribute-filter.xml =====
> <!-- SP_1 -->
> <afp:AttributeFilterPolicy id="sp_1">
> <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
> value="https://sp1.example.com" />
>
> <afp:AttributeRule attributeID="uh_eduPersonAffiliation">
> <afp:PermitValueRule xsi:type="basic:OR">
> <basic:Rule xsi:type="basic:AttributeValueString" value="faculty" ignoreCase="true" />
> <basic:Rule xsi:type="basic:AttributeValueString" value="staff" ignoreCase="true" />
> </afp:PermitValueRule>
> </afp:AttributeRule>
>
> </afp:AttributeFilterPolicy>
> <!-- /SP_1 -->
>
>
> <!-- SP_2 -->
> <afp:AttributeFilterPolicy id="sp_2">
> <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString"
> value="https://sp2.example.org" />
>
> <afp:AttributeRule attributeID="uh_eduPersonAffiliation ">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
>
> </afp:AttributeFilterPolicy>
> <!-- /SP_2 -->
> ===============================
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
>
--
%% Christopher A. Bongaarts %% cab at umn.edu %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
More information about the users
mailing list