IDP Filtering by AD group

Goggins, Patrick gogginsp at
Fri Apr 4 10:08:34 EDT 2014

I'm try to setup an attribute-filter entry to allow authentication if a user is a member of a given group in AD. The concept below is to only allow CompSci majors and minors access to a site.


<afp:PolicyRequirementRule xsi:type="basic:AND">
        <basic:Rule xsi:type="basic:AttributeRequesterString" value="" />
        <PermitValueRule  xsi:type="basic:OR">
                <basic:Rule xsi:type="basic:AttributeValueString" attributeID="isMemberOf" value="COMPSCI-MAJ" ignoreCase="true"/>
                <basic:Rule xsi:type="basic:AttributeValueString" attributeID="isMemberOf" value="COMPSCI-MIN" ignoreCase="true"/>

isMemberOf from our attribute-resolver.xml

<resolver:AttributeDefinition id="isMemberOf" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="isMemberOf">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:" friendlyName="isMemberOf" />

The issue with mixing the basic rule with the PermitValueRule, any ideas?



-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list