How to make IDP "site sensitive" for eduPersonPrimaryAffiliation

Eric Wedaa Eric.Wedaa at marist.edu
Tue Nov 17 14:53:21 EST 2015


All;

   I'm not sure I can get there from here, but maybe somebody can point me in the right direction.

   We have/want only a single IDP (running 2.4.0).  We have two SPs not under our control, faculty.example.org and student.example.org.  We only want faculty logging into faculty.example.org, and students logging into student.example.org.  The SPs do NOT pay attention to eduPersonPrimaryAffiliation, or any fields other than uid, email, firstname, lastname.

   I can edit attribute-filter.xml so that I only return uid, email, firstname, lastname for faculty to the faculty website, and uid, email, firstname, lastname for students to the student website.  If a student tries to login to the faculty website I don't send uid, etc..  The SP then spews an error message that not all required fields were sent and does not allow them access.

   BUT...

   Management would prefer that when a student goes to faculty.example.org, and gets redirected to our idp, that the IDP instead of authenticating (based on uid/password), just spin them into an infinite loop of authentication failed, or better yet, and error at the IDP saying "You're not allowed to go to the faculty website."

  What the heck should I be looking for in the Shib IDP docs?

>>>Ericw


More information about the users mailing list