Relying Party Access Control (by Group)

Matt Brennan brennanma at
Tue May 3 17:02:28 EDT 2016

Thanks for the reply, Scott. I completely agree, but the SP in question
doesn't do that ... and worse, they automatically charge me for a year
subscription for every user that logs in via SSO.

I admit that I'm not very familiar with SWF. Has anyone else done this (or
something close) that they could provide an example of? Mainly just the
beans associated with the intercept.


On Mon, May 2, 2016 at 5:27 PM, Cantor, Scott <cantor.2 at> wrote:

> > I am trying to transition our remaining AD FS profiles over to
> Shibboleth (IDP
> > 3). I am having an issue with one though - the particular SP is limited
> to
> > specific users, based on AD group membership. I can't see to find docs on
> > how to implement this is in Shibboleth. Can someone please point me in
> the
> > right direction?
> We don't generally consider that a function of the IdP, authz is up to the
> SP, with the IdP supplying the groups as attributes.
> If you must, see [1].
> -- Scott
> [1]
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list