Documentation On shib-attr allowed regex?
Brian Biggs
brian.biggs at sonoma.edu
Wed Aug 1 17:51:35 EDT 2018
Just build 1 regex that handles all 4 cases?
Require shib-attr carleton-ca-role ~ ^.*(FNQM_(ADMIN|ACAD|CEJT)(_(CASUAL|CONTINUING))?).*$
-Brian
On 08/01/2018 11:22 AM, Bryan K. Walton wrote:
> Hi,
>
> Can anybody point me to some documentation on what are the allowed
> regular expressions when setting up shib-attr to control authorization
> in Apache?
>
> We are working with an IdP that send multiple attributes, in a comma
> separated string. Some of the attributes are relavant for
> authorization, and some we ignore. Furthermore, the comma separated
> string can be in any order. And example Attribute Value passed to us
> might be something like:
>
> "Student,FNQM_CEJT,MANUAL_DEPT"
>
> We setup our shib-attr strings like this:
>
> Require shib-attr carleton-ca-role ~ ^.*FNQM_ADMIN_CASUAL.*$
> Require shib-attr carleton-ca-role ~ ^.*FNQM_ADMIN_CONTINUING.*$
> Require shib-attr carleton-ca-role ~ ^.*FNQM_ACAD_CONTINUING.*$
> Require shib-attr carleton-ca-role ~ ^.*FNQM_CEJT.*$
>
> We have some users that have the attribute FNQM_CEJT in their
> AttributeValue passed to us, that get in. However, we have another
> user, with the same value getting passed, but they get denied.
>
> However, if we add another "Require shib-attr" line at the end, and we
> hard code the comma separated string of attributes being passed for this
> user, they get in. The apache error log shows the user getting denied for
> all of the attributes above, and then finally granted access based on a
> match that doesn't use a regex.
>
> It seems clear to me that something is wrong in my regular expressions
> above. But I can't find any documentation on what types of expressions
> are allowed.
>
> Thanks!
> Bryan
>
>
--
Lead IdM/IdP/Systems Integration
Information Technology
Sonoma State University
More information about the users
mailing list