SAML Authentication using LDAP groups
Cantor, Scott
cantor.2 at osu.edu
Tue Dec 1 12:02:32 EST 2015
On 12/1/15, 10:58 AM, "users on behalf of Cahill, Charles (GE Appliances)" <users-bounces at shibboleth.net on behalf of Charles.Cahill at ge.com> wrote:
>I am also wondering, could this be handled on the Apache SP side in the conf file handling
>Location information?
You don't limit authentication by groups, and if you do, you do it with the memberOf approach and store the groups in each user entry. Then it's a simple matter of adjusting the filter in the LDAP login config to check for the group(s) required.
But that isn't the right model. You should ignore groups during login, resolve attributes based on group memberships and supply them as needed. Or use them within the IdP to enforce authorization via something like the context-check profile intercept.
These are basic separation of duty considerations. Multiple pieces that are simple to understand and compose are better than one complex piece.
-- Scott
More information about the users
mailing list