Documentation On shib-attr allowed regex?

Bryan K. Walton bwalton+1533146256 at
Wed Aug 1 14:22:01 EDT 2018


Can anybody point me to some documentation on what are the allowed
regular expressions when setting up shib-attr to control authorization
in Apache?

We are working with an IdP that send multiple attributes, in a comma
separated string.  Some of the attributes are relavant for
authorization, and some we ignore.  Furthermore, the comma separated
string can be in any order.  And example Attribute Value passed to us
might be something like:


We setup our shib-attr strings like this:

Require shib-attr carleton-ca-role ~ ^.*FNQM_ADMIN_CASUAL.*$
Require shib-attr carleton-ca-role ~ ^.*FNQM_ADMIN_CONTINUING.*$
Require shib-attr carleton-ca-role ~ ^.*FNQM_ACAD_CONTINUING.*$
Require shib-attr carleton-ca-role ~ ^.*FNQM_CEJT.*$

We have some users that have the attribute FNQM_CEJT in their
AttributeValue passed to us, that get in.  However, we have another
user, with the same value getting passed, but they get denied.

However, if we add another "Require shib-attr" line at the end, and we
hard code the comma separated string of attributes being passed for this
user, they get in.  The apache error log shows the user getting denied for
all of the attributes above, and then finally granted access based on a
match that doesn't use a regex.

It seems clear to me that something is wrong in my regular expressions
above. But I can't find any documentation on what types of expressions
are allowed.


More information about the users mailing list