Documentation On shib-attr allowed regex?

Brian Biggs brian.biggs at
Wed Aug 1 17:51:35 EDT 2018

Just build 1 regex that handles all 4 cases?

Require shib-attr carleton-ca-role ~ ^.*(FNQM_(ADMIN|ACAD|CEJT)(_(CASUAL|CONTINUING))?).*$


On 08/01/2018 11:22 AM, Bryan K. Walton wrote:
> Hi,
> Can anybody point me to some documentation on what are the allowed
> regular expressions when setting up shib-attr to control authorization
> in Apache?
> We are working with an IdP that send multiple attributes, in a comma
> separated string.  Some of the attributes are relavant for
> authorization, and some we ignore.  Furthermore, the comma separated
> string can be in any order.  And example Attribute Value passed to us
> might be something like:
> We setup our shib-attr strings like this:
> Require shib-attr carleton-ca-role ~ ^.*FNQM_ADMIN_CASUAL.*$
> Require shib-attr carleton-ca-role ~ ^.*FNQM_ADMIN_CONTINUING.*$
> Require shib-attr carleton-ca-role ~ ^.*FNQM_ACAD_CONTINUING.*$
> Require shib-attr carleton-ca-role ~ ^.*FNQM_CEJT.*$
> We have some users that have the attribute FNQM_CEJT in their
> AttributeValue passed to us, that get in.  However, we have another
> user, with the same value getting passed, but they get denied.
> However, if we add another "Require shib-attr" line at the end, and we
> hard code the comma separated string of attributes being passed for this
> user, they get in.  The apache error log shows the user getting denied for
> all of the attributes above, and then finally granted access based on a
> match that doesn't use a regex.
> It seems clear to me that something is wrong in my regular expressions
> above. But I can't find any documentation on what types of expressions
> are allowed.
> Thanks!
> Bryan

Lead IdM/IdP/Systems Integration
Information Technology
Sonoma State University

More information about the users mailing list