Authenticated memberof group

Daniel McDonald daniel.mcdonald at umb.edu
Wed May 3 16:30:39 EDT 2017 

In a normal situation yes we'd like to tell the users why its failing, 
in this particular project though, a failed login with no explanation is 
fine.

I was trying to do something like both you and Scott mentioned, changing 
the LDAP search filter to only allow access if they're in a certain 
group. This is shibboleth idp 3.3.1 BTW.

Right now I have this as my CDATA section within my DataConnector which 
successfully matches on the mail attribute. The CDATA values are 
actually a variable %{idp.attribute.resolver.LDAP.searchFilter} in 
attribute-resolver.xml but these are the values it should be reading 
when it runs.

This is successfully authenticating:

  <FilterTemplate>
             <![CDATA[
                 (mail=$requestContext.principalName)
             ]]>
  </FilterTemplate>

I tried this next line but it didnt seem to work, users not in the group 
are able to login:

  <FilterTemplate>
             <![CDATA[
(&(mail=$requestContext.principalName)(memberOf=CN=MyGroup,CN=Users,DC=school,DC=net))
             ]]>
  </FilterTemplate>

Should that work?

Thanks
Dan


On 05/02/2017 07:21 PM, IAM David Bantz wrote:
> Shibb developers have built in enormous flexibility into the IdP so 
> you no doubt implement such a restriction in the IdP, the simplest way 
> I thought of is Scott's, including the membership in the LDAP search 
> during the initial authentication (if using jaas.config, 
> userFilter="(&(sAMAccountName={user})(memberOf=CN=MyGroup,CN=Users,DC=umass,DC=net)". 
>
>
> One issue is that that tactic in itself will result in failed 
> authentication if the user isn't in the group, without indication to 
> user of why or what to do about it.
>
> Wouldn't it be preferable to have the IdP release an appropriate set 
> of memberOf values to the SP, and let the SP do authorization and 
> respond appropriately to the user: "You authenticated, but you do not 
> have access to this service; here's why or what you do about that..."?
>
> David Bantz
> UA OIT IAM
>
> On Tue, May 2, 2017 at 3:10 PM, Cantor, Scott <cantor.2 at osu.edu 
> <mailto:cantor.2 at osu.edu>> wrote:
>
>     On 5/2/17, 6:36 PM, "users on behalf of Daniel McDonald"
>     <users-bounces at shibboleth.net
>     <mailto:users-bounces at shibboleth.net> on behalf of
>     daniel.mcdonald at umb.edu <mailto:daniel.mcdonald at umb.edu>> wrote:
>
>     > We'd like to limit who's logging into shibboleth based on not
>     only their
>     > password, but if they're in a group as well.
>
>     Then why don't you change your LDAP filter in the authentication
>     check to exclude entries that aren't in the group?
>
>     > I can return the "memberOf" attribute with a list of the users
>     groups. I
>     > hoped that putting this in the ldap search filter would work but
>     it didnt:
>
>     That looks like it's from the attribute resolver. How would that
>     impact authentication?
>
>     -- Scott
>
>
>     --
>     To unsubscribe from this list send an email to
>     users-unsubscribe at shibboleth.net
>     <mailto:users-unsubscribe at shibboleth.net>
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170503/5da3121b/attachment.html>

More information about the users mailing list