Setting up IdP3 to release set of attributes only to CAS users
Marvin Addison
marvin.addison at gmail.com
Thu Aug 13 15:57:38 EDT 2015
>
> We’re setting up IdP3 and want to release a set of attributes to only
> users that login via CAS. Has anyone done this?
>
Yes. Scott mentioned in another reply that SAML metadata support is
intended for the future, but there's a simple CAS-specific metadata
facility called "ServiceRegistry" that allows you to create regular
expressions for CAS services and assign them to a metadata group. Following
is an example from our institution in conf/cas-protocol.xml:
<bean id="cas.serviceRegistry"
class="net.shibboleth.idp.cas.service.PatternServiceRegistry">
<property name="definitions">
<list>
<bean
class="net.shibboleth.idp.cas.service.ServiceDefinition"
c:regex="https://([A-Za-z0-9_-]+\.)*vt\.edu(:\d+)?/.*"
p:group="urn:mace:vt.edu:hokies"
p:authorizedToProxy="false" />
</list>
</property>
</bean>
This puts all https services in our institutional domain in a metadata
group identified by the URN "urn:mace:vt.edu:hokies." Then you can do a
group-based metadata filter in attribute-filter.xml:
<!-- Hokies release policy -->
<AttributeFilterPolicy id="releaseToHokies">
<PolicyRequirementRule xsi:type="saml:InEntityGroup"
groupID="urn:mace:vt.edu:hokies"/>
<AttributeRule attributeID="uid">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>
</AttributeFilterPolicy>
Please let me know if you have further questions.
M
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150813/f26f4444/attachment-0001.html>
More information about the users
mailing list