Documentation On shib-attr allowed regex?
brian.biggs at sonoma.edu
Wed Aug 1 17:51:35 EDT 2018
Just build 1 regex that handles all 4 cases?
Require shib-attr carleton-ca-role ~ ^.*(FNQM_(ADMIN|ACAD|CEJT)(_(CASUAL|CONTINUING))?).*$
On 08/01/2018 11:22 AM, Bryan K. Walton wrote:
> Can anybody point me to some documentation on what are the allowed
> regular expressions when setting up shib-attr to control authorization
> in Apache?
> We are working with an IdP that send multiple attributes, in a comma
> separated string. Some of the attributes are relavant for
> authorization, and some we ignore. Furthermore, the comma separated
> string can be in any order. And example Attribute Value passed to us
> might be something like:
> We setup our shib-attr strings like this:
> Require shib-attr carleton-ca-role ~ ^.*FNQM_ADMIN_CASUAL.*$
> Require shib-attr carleton-ca-role ~ ^.*FNQM_ADMIN_CONTINUING.*$
> Require shib-attr carleton-ca-role ~ ^.*FNQM_ACAD_CONTINUING.*$
> Require shib-attr carleton-ca-role ~ ^.*FNQM_CEJT.*$
> We have some users that have the attribute FNQM_CEJT in their
> AttributeValue passed to us, that get in. However, we have another
> user, with the same value getting passed, but they get denied.
> However, if we add another "Require shib-attr" line at the end, and we
> hard code the comma separated string of attributes being passed for this
> user, they get in. The apache error log shows the user getting denied for
> all of the attributes above, and then finally granted access based on a
> match that doesn't use a regex.
> It seems clear to me that something is wrong in my regular expressions
> above. But I can't find any documentation on what types of expressions
> are allowed.
Lead IdM/IdP/Systems Integration
Sonoma State University
More information about the users