Handling New User Memberships
Brandon McKean
mckeanbs at jmu.edu
Tue May 9 15:32:40 EDT 2017
Thank you Scott. I've been going through the documentation and have
arrived at this for trying to allow access based on an attribute's value:
> <bean id="ContextCheckPredicate"
> class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate"
> p:useUnfilteredAttributes="true">
> <property name="attributeValueMap">
> <map>
> <entry key="eduPersonAffiliation">
> <list>
> <value>staff</value>
> </list>
> </entry>
> </map>
> </property>
> </bean>
While it's processed by Shibboleth, it doesn't seem to be using the
attribute as expected:
> 2017-05-09 15:28:24,601 - DEBUG
> [net.shibboleth.idp.profile.logic.SimpleAttributePredicate:87] -
> Checking for attribute: eduPersonAffiliation
> 2017-05-09 15:28:24,602 - DEBUG
> [net.shibboleth.idp.profile.logic.SimpleAttributePredicate:91] -
> Attribute eduPersonAffiliation not found in context
Does anything look off in the bean? Should I be doing something else?
Thanks,
--
Brandon McKean
IT / Systems
Linux Administrator
(540)568-4235
On 05/09/2017 11:40 AM, Cantor, Scott wrote:
>> My question is, has anyone else encountered a situation like this? And
>> if so, how did you handle it?
> IdP-side authorization was built into V3, see the context-check interceptor.
>
> -- Scott
>
More information about the users
mailing list