Relying Party Access Control (by Group)

Matt Brennan brennanma at
Thu May 5 13:42:20 EDT 2016

That reply actually helped. It's working now.

Thank you,

On Thu, May 5, 2016 at 11:16 AM, Cantor, Scott <cantor.2 at> wrote:

> >   Thanks for your reply. I am, unfortunately, still lost here. I can
> see, from the
> > docs, how it's supposed to work, but I can't figure out how to actually
> check
> > the attribute. Basically, I am trying to check if the user is a member
> of a
> > specific AD group. I do have this information coming into Shibboleth as I
> > release the group list to other SP's for access control. I cannot figure
> out how
> > to check group membership as part of the intercept though.
> >
> >   So basically, I'm looking for docs or an example of how to check group
> > membership as part of the intercept.
> The existing file is an example, so unless you can explain what you don't
> understand, I don't know how to answer this.
> The file as shipped uses the context-check interceptor flow to run an
> example predicate (condition) and the example it shows uses a built-in
> class, SimpleAttributePredicate, as the condition to check. The javadoc for
> that class [1] describes what its inputs are and what it does, and the
> example in the file includes a map whose only entry is to check for any
> value in the "eppn" attribute.
> I don't know the name(s) of your attributes or what you want to check for,
> but they just go into the map.
> -- Scott
> [1]
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list