Relying Party Access Control (by Group)

Matt Brennan brennanma at gmail.com
Thu May 5 11:10:29 EDT 2016 

Hi Nate,

  Thanks for your reply. I am, unfortunately, still lost here. I can see,
from the docs, how it's supposed to work, but I can't figure out how to
actually check the attribute. Basically, I am trying to check if the user
is a member of a specific AD group. I do have this information coming into
Shibboleth as I release the group list to other SP's for access control. I
cannot figure out how to check group membership as part of the intercept
though.

  So basically, I'm looking for docs or an example of how to check group
membership as part of the intercept.

Thanks
-Matt

On Tue, May 3, 2016 at 5:07 PM, Nate Klingenstein <ndk at sudonym.me> wrote:

> Matt,
>
> There’s an example that does this in a file in the distribution at
> $IDP_HOME/conf/intercept/context-check-intercept-config.xml.  I think I
> could guess what to put in each of the fields.  If part of that example is
> confusing, specific questions would probably be easier to answer.
>
> Congratulations on your yearly subscriptions,
> Nate.
>
> > On May 3, 2016, at 15:02, Matt Brennan <brennanma at gmail.com> wrote:
> >
> > Thanks for the reply, Scott. I completely agree, but the SP in question
> doesn't do that ... and worse, they automatically charge me for a year
> subscription for every user that logs in via SSO.
> >
> > I admit that I'm not very familiar with SWF. Has anyone else done this
> (or something close) that they could provide an example of? Mainly just the
> beans associated with the intercept.
> >
> > Thanks
> >
> > On Mon, May 2, 2016 at 5:27 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> > > I am trying to transition our remaining AD FS profiles over to
> Shibboleth (IDP
> > > 3). I am having an issue with one though - the particular SP is
> limited to
> > > specific users, based on AD group membership. I can't see to find docs
> on
> > > how to implement this is in Shibboleth. Can someone please point me in
> the
> > > right direction?
> >
> > We don't generally consider that a function of the IdP, authz is up to
> the SP, with the IdP supplying the groups as attributes.
> >
> > If you must, see [1].
> >
> > -- Scott
> >
> > [1]
> https://wiki.shibboleth.net/confluence/display/IDP30/ContextCheckInterceptConfiguration
> > --
> > To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
> >
> > --
> > To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160505/bfb8d4e3/attachment.html>

More information about the users mailing list