Relying Party Access Control (by Group)

[Nate Klingenstein]

Matt,

There’s an example that does this in a file in the distribution at $IDP_HOME/conf/intercept/context-check-intercept-config.xml.  I think I could guess what to put in each of the fields.  If part of that example is confusing, specific questions would probably be easier to answer.

Congratulations on your yearly subscriptions,
Nate.

> On May 3, 2016, at 15:02, Matt Brennan <brennanma at gmail.com> wrote:
> 
> Thanks for the reply, Scott. I completely agree, but the SP in question doesn't do that ... and worse, they automatically charge me for a year subscription for every user that logs in via SSO. 
> 
> I admit that I'm not very familiar with SWF. Has anyone else done this (or something close) that they could provide an example of? Mainly just the beans associated with the intercept.  
> 
> Thanks
> 
> On Mon, May 2, 2016 at 5:27 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> > I am trying to transition our remaining AD FS profiles over to Shibboleth (IDP
> > 3). I am having an issue with one though - the particular SP is limited to
> > specific users, based on AD group membership. I can't see to find docs on
> > how to implement this is in Shibboleth. Can someone please point me in the
> > right direction?
> 
> We don't generally consider that a function of the IdP, authz is up to the SP, with the IdP supplying the groups as attributes.
> 
> If you must, see [1].
> 
> -- Scott
> 
> [1] https://wiki.shibboleth.net/confluence/display/IDP30/ContextCheckInterceptConfiguration
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> 
> -- 
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net