AttributeFilters to prevent specific users to use an SP?

Peter Schober peter.schober at univie.ac.at
Tue Feb 26 14:31:48 EST 2013 

* Kanuch, Andrew <Andy.Kanuch at sdstate.edu> [2013-02-26 19:54]:
> Is it possible to use an Attribute Filter policy to a prevent a
> subset of users from being able to pass attributes to a Specific
> Service provider?

Yes

> For example:  A filter policy that allows passes user attributes
> (eduPersonAffiliation, givenName, EPPN, description) to the SP
> sp.testshib.org,  *unless* the user account has the value of
> "Student" in their LDAP(AD) account description field.
> 
> I've attempted to do this using some AND and NOT rules,  but I don't
> think the Policy Requirement Rule likes having those nested because
> it breaks the 1 Rule Only rule for PolicyRequirementRule (Copy of
> policy below.)

That would work (if dont correctly).

> ( Is it best practice to craft individual Attribute Filter Polices
> based on specific SP needs,  or around individual attributes? )

I do/did both, depending on what makes more sense for a given use case.
Generally I have the filter structured by attribute (because we have
more SPs than attributes, which makes for less rules with lists of
OR'ed SPs within).
For SPs needing specical attentiaon (usually custom
eduPersoneEntitlement values only meant for a specific SP) I have
rules by SP. That same SP might also be matched by other rules (see
above), which could be misleading, I suppose.

>                 <afp:AttributeFilterPolicy id="testshibby">
> 
>                                 <afp:PolicyRequirementRule xsi:type="basic:AND">
> 
>                                                 <basic:Rule xsi:type="basic:NOT">
>                                                                                 <basic:Rule xsi:type="basic:AttributeValueString" attributeID="description" value="student"/>
> 
>                                                 <basic:Rule xsi:type="basic:AttributeRequesterString" value="https://sp.testshib.org/shibboleth-sp" ignoreCase="true"/>
> 
>                                 </afp:PolicyRequirementRule>

Kind of hard to read with the intention and on the small screen I'm at
currently, but that's not valid (not well-formed XML either, a basic
check you should /always/ perform when eduting any XML; here the NOT
rule has content but no closing tag), but try reversing the NOT and
AND rules to become NOT ( AND ( student testshib ) ), so to speak.
NOT can only negate a single "think". If you want to negate several
things combine them into a single "thing" via AND or OR,
-peter

More information about the users mailing list