Relying Party Access Control (by Group)
Matt Brennan
brennanma at gmail.com
Thu May 5 13:42:20 EDT 2016
That reply actually helped. It's working now.
Thank you,
Matt
On Thu, May 5, 2016 at 11:16 AM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> > Thanks for your reply. I am, unfortunately, still lost here. I can
> see, from the
> > docs, how it's supposed to work, but I can't figure out how to actually
> check
> > the attribute. Basically, I am trying to check if the user is a member
> of a
> > specific AD group. I do have this information coming into Shibboleth as I
> > release the group list to other SP's for access control. I cannot figure
> out how
> > to check group membership as part of the intercept though.
> >
> > So basically, I'm looking for docs or an example of how to check group
> > membership as part of the intercept.
>
> The existing file is an example, so unless you can explain what you don't
> understand, I don't know how to answer this.
>
> The file as shipped uses the context-check interceptor flow to run an
> example predicate (condition) and the example it shows uses a built-in
> class, SimpleAttributePredicate, as the condition to check. The javadoc for
> that class [1] describes what its inputs are and what it does, and the
> example in the file includes a map whose only entry is to check for any
> value in the "eppn" attribute.
>
> I don't know the name(s) of your attributes or what you want to check for,
> but they just go into the map.
>
> -- Scott
>
> [1]
> https://build.shibboleth.net/jenkins/job/java-identity-provider-nightly/javadoc/net/shibboleth/idp/profile/logic/SimpleAttributePredicate.html
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160505/82cad82d/attachment.html>
More information about the users
mailing list