Authenticated memberof group
IAM David Bantz
dabantz at alaska.edu
Tue May 2 19:21:32 EDT 2017
Shibb developers have built in enormous flexibility into the IdP so you no
doubt implement such a restriction in the IdP, the simplest way I thought
of is Scott's, including the membership in the LDAP search during the
initial authentication (if using jaas.config, userFilter="(&(sAMAccountName
={user})(memberOf=CN=MyGroup,CN=Users,DC=umass,DC=net)".
One issue is that that tactic in itself will result in failed
authentication if the user isn't in the group, without indication to user
of why or what to do about it.
Wouldn't it be preferable to have the IdP release an appropriate set of
memberOf values to the SP, and let the SP do authorization and respond
appropriately to the user: "You authenticated, but you do not have access
to this service; here's why or what you do about that..."?
David Bantz
UA OIT IAM
On Tue, May 2, 2017 at 3:10 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> On 5/2/17, 6:36 PM, "users on behalf of Daniel McDonald" <
> users-bounces at shibboleth.net on behalf of daniel.mcdonald at umb.edu> wrote:
>
> > We'd like to limit who's logging into shibboleth based on not only their
> > password, but if they're in a group as well.
>
> Then why don't you change your LDAP filter in the authentication check to
> exclude entries that aren't in the group?
>
> > I can return the "memberOf" attribute with a list of the users groups. I
> > hoped that putting this in the ldap search filter would work but it
> didnt:
>
> That looks like it's from the attribute resolver. How would that impact
> authentication?
>
> -- Scott
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170502/cdaddcfe/attachment-0001.html>
More information about the users
mailing list