Relying Party Access Control (by Group)
Cantor, Scott
cantor.2 at osu.edu
Thu May 5 11:16:13 EDT 2016
> Thanks for your reply. I am, unfortunately, still lost here. I can see, from the
> docs, how it's supposed to work, but I can't figure out how to actually check
> the attribute. Basically, I am trying to check if the user is a member of a
> specific AD group. I do have this information coming into Shibboleth as I
> release the group list to other SP's for access control. I cannot figure out how
> to check group membership as part of the intercept though.
>
> So basically, I'm looking for docs or an example of how to check group
> membership as part of the intercept.
The existing file is an example, so unless you can explain what you don't understand, I don't know how to answer this.
The file as shipped uses the context-check interceptor flow to run an example predicate (condition) and the example it shows uses a built-in class, SimpleAttributePredicate, as the condition to check. The javadoc for that class [1] describes what its inputs are and what it does, and the example in the file includes a map whose only entry is to check for any value in the "eppn" attribute.
I don't know the name(s) of your attributes or what you want to check for, but they just go into the map.
-- Scott
[1] https://build.shibboleth.net/jenkins/job/java-identity-provider-nightly/javadoc/net/shibboleth/idp/profile/logic/SimpleAttributePredicate.html
More information about the users
mailing list