IDP Filtering by AD group
Goggins, Patrick
gogginsp at uwgb.edu
Fri Apr 4 10:08:34 EDT 2014
I'm try to setup an attribute-filter entry to allow authentication if a user is a member of a given group in AD. The concept below is to only allow CompSci majors and minors access to a site.
Attribute-filter.xml
<afp:PolicyRequirementRule xsi:type="basic:AND">
<basic:Rule xsi:type="basic:AttributeRequesterString" value="https://fm.incommon.org/sp" />
<PermitValueRule xsi:type="basic:OR">
<basic:Rule xsi:type="basic:AttributeValueString" attributeID="isMemberOf" value="COMPSCI-MAJ" ignoreCase="true"/>
<basic:Rule xsi:type="basic:AttributeValueString" attributeID="isMemberOf" value="COMPSCI-MIN" ignoreCase="true"/>
</PermitValueRule>
</afp:PolicyRequirementRule>
isMemberOf from our attribute-resolver.xml
<resolver:AttributeDefinition id="isMemberOf" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="isMemberOf">
<resolver:Dependency ref="myLDAP" />
<resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder" name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" friendlyName="isMemberOf" />
</resolver:AttributeDefinition>
The issue with mixing the basic rule with the PermitValueRule, any ideas?
Thanks,
~Patrick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140404/afd39e8e/attachment.html
More information about the users
mailing list