Disallow eppn/affiliation to be asserted by the wrong IdP
William Spooner
william.spooner at eaglegenomics.com
Thu Oct 11 07:09:32 EDT 2012
Hi,
I'm looking through the documentation on NativeSPAttributeDecoder, and under Scoped AttributeDecoder I see;
"Typically, an attribute's scope gives an indication of the domain in which an attribute's value applies; for example, staff at example.org represents a staff member at Example Organization, and the scope is example.org. However, it may not be desirable to allow staff at osu.edu to be asserted by the Brown University IdP. The specialized processing of this decoder facilitates these kinds of distinctions."
I want to do exactly this, i.e. disallow "staff at osu.edu to be asserted by the Brown University IdP". Although I'm already doing this within my application, it would be great to hand the task off to my SP (shibboleth 2.4.3). I would be very grateful if someone could point me towards some boilerplate config for this.
A related question - my SP uses three fixed IdP providers, one Shib, one OpenSSO and one AD. The attributes they deign to provide differ, but some can be inferred directly from knowledge of the IdP, e.g. organizationname, affiliation etc. Is it possible to add/override attributes on a per-IDP basis?
Thanks,
Will
More information about the users
mailing list