Relying Party Access Control (by Group)

Cantor, Scott cantor.2 at
Thu May 5 11:16:13 EDT 2016

>   Thanks for your reply. I am, unfortunately, still lost here. I can see, from the
> docs, how it's supposed to work, but I can't figure out how to actually check
> the attribute. Basically, I am trying to check if the user is a member of a
> specific AD group. I do have this information coming into Shibboleth as I
> release the group list to other SP's for access control. I cannot figure out how
> to check group membership as part of the intercept though.
>   So basically, I'm looking for docs or an example of how to check group
> membership as part of the intercept.

The existing file is an example, so unless you can explain what you don't understand, I don't know how to answer this.

The file as shipped uses the context-check interceptor flow to run an example predicate (condition) and the example it shows uses a built-in class, SimpleAttributePredicate, as the condition to check. The javadoc for that class [1] describes what its inputs are and what it does, and the example in the file includes a map whose only entry is to check for any value in the "eppn" attribute.

I don't know the name(s) of your attributes or what you want to check for, but they just go into the map.

-- Scott


More information about the users mailing list