Setting up IdP3 to release set of attributes only to CAS users

Jonathan Johnson jsjohnson at unicon.net
Thu Aug 13 23:36:58 EDT 2015 

Marvin, can you verify what version of Shibboleth you are using? I remember doing something like this a while back, but when I go to do the same in 3.1.2, the attributes are not returning. I tracked it down to `AttributeRequesterInEntityGroupPolicyRule.getEntityMetadata()` returning null (from the `AttributeFilterContext.requesterMetadataContextLookupStrategy.apply()` returning null).

I’ve tried this in 3.1.1, an instance of 3.1.1 upgraded to 3.1.2, and a stock instance of 3.1.2. I can share my configuration if you think it might help. Thanks.

-Jj

On August 13, 2015 at 14:58:06, Marvin Addison (marvin.addison at gmail.com) wrote:

We’re setting up IdP3 and want to release a set of attributes to only users that login via CAS. Has anyone done this?

Yes. Scott mentioned in another reply that SAML metadata support is intended for the future, but there's a simple CAS-specific metadata facility called "ServiceRegistry" that allows you to create regular expressions for CAS services and assign them to a metadata group. Following is an example from our institution in conf/cas-protocol.xml:

    <bean id="cas.serviceRegistry"
          class="net.shibboleth.idp.cas.service.PatternServiceRegistry">
        <property name="definitions">
            <list>
                <bean class="net.shibboleth.idp.cas.service.ServiceDefinition"
                      c:regex="https://([A-Za-z0-9_-]+\.)*vt\.edu(:\d+)?/.*"
                      p:group="urn:mace:vt.edu:hokies"
                      p:authorizedToProxy="false" />
            </list>
        </property>
    </bean>
 
This puts all https services in our institutional domain in a metadata group identified by the URN "urn:mace:vt.edu:hokies." Then you can do a group-based metadata filter in attribute-filter.xml:

  <!-- Hokies release policy -->
  <AttributeFilterPolicy id="releaseToHokies">
    <PolicyRequirementRule xsi:type="saml:InEntityGroup"
        groupID="urn:mace:vt.edu:hokies"/>
    <AttributeRule attributeID="uid">
      <PermitValueRule xsi:type="basic:ANY" />
    </AttributeRule>
  </AttributeFilterPolicy>

Please let me know if you have further questions.

M

--  
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150813/191a1fb5/attachment.html>

More information about the users mailing list