AttributeFilters to prevent specific users to use an SP?

Kanuch, Andrew Andy.Kanuch at sdstate.edu
Tue Feb 26 13:54:01 EST 2013 

Is it possible to use an Attribute Filter policy to a prevent a subset of users from being able to pass attributes to a Specific Service provider?

For example:  A filter policy that allows passes user attributes (eduPersonAffiliation, givenName, EPPN, description) to the SP sp.testshib.org,  *unless* the user account has the value of "Student" in their LDAP(AD) account description field.

I've attempted to do this using some AND and NOT rules,  but I don't think the Policy Requirement Rule likes having those nested because it breaks the 1 Rule Only rule for PolicyRequirementRule (Copy of policy below.)

( Is it best practice to craft individual Attribute Filter Polices based on specific SP needs,  or around individual attributes? )

                <afp:AttributeFilterPolicy id="testshibby">

                                <afp:PolicyRequirementRule xsi:type="basic:AND">

                                                <basic:Rule xsi:type="basic:NOT">
                                                                                <basic:Rule xsi:type="basic:AttributeValueString" attributeID="description" value="student"/>

                                                <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://sp.testshib.org/shibboleth-sp" ignoreCase="true"/>

                                </afp:PolicyRequirementRule>

                                                <afp:AttributeRule attributeID="eduPersonAffiliation">
                                                <!-- Permit value rule that releases any value. -->
                                                <afp:PermitValueRule xsi:type="basic:ANY" />
                                                </afp:AttributeRule>

                                                <afp:AttributeRule attributeID="givenName">
                                                <!-- Permit value rule that releases any value. -->
                                                <afp:PermitValueRule xsi:type="basic:ANY" />
                                                </afp:AttributeRule>

                                                <afp:AttributeRule attributeID="eduPersonPrincipalName">
                                                <!-- Permit value rule that releases any value. -->
                                                <afp:PermitValueRule xsi:type="basic:ANY" />
                                                </afp:AttributeRule>

                                                <afp:AttributeRule attributeID="description">
                                                <!-- Permit value rule that releases any value. -->
                                                <afp:PermitValueRule xsi:type="basic:ANY" />
                                                </afp:AttributeRule>

                </afp:AttributeFilterPolicy>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130226/a87a6d1d/attachment.html

More information about the users mailing list