SAML Authentication using LDAP groups
Cahill, Charles (GE Appliances)
Charles.Cahill at ge.com
Wed Dec 2 09:57:16 EST 2015
Understood, I will change that variable to something other than DisplayName.
"displayname" in our Linux LDAP is really the name of a group. In Windows Active Directory it is something
else totally but I can see where the confusion may come into play here.
Charles
-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Wednesday, December 02, 2015 9:46 AM
To: Shib Users
Subject: Re: SAML Authentication using LDAP groups
On 12/2/15, 8:46 AM, "users on behalf of Cahill, Charles (GE Appliances)" <users-bounces at shibboleth.net on behalf of Charles.Cahill at ge.com> wrote:
>I was able to then configure the Apache Service Provider Shib.conf to limit who can access the website by using this location block. Keep in mind that the Protected web root is being fed is a variable and so is the group "displayname".
When you use displayName in SAML, that's about a user (the subject of the assertion), not a group. It's going to confuse the heck out of anybody coming after you. I really wouldn't do that.
-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list