wish list: ability to define reusable blocs in SP configuration
Guillaume Rousse
guillaume.rousse at renater.fr
Tue Aug 14 11:25:40 EDT 2018
Le 13/08/2018 à 16:06, Cantor, Scott a écrit :
>> Le 13/08/2018 à 15:47, Guillaume Rousse a écrit :
>>> I rode content mapper documentation carefuly. If I understand it
>> I *read*, sorry for my english :)
>
> You can ride it too, but it's probably not too fun.
>
> Anyway, you're understanding me correctly.
I just tested, and it works, excepted for applications using lazy
sessions :(
The following configuration is impossible to satisfy without a valid
shibboleth session:
<RequireAll>
Require shibboleth
Require shib-attr Shib-Identity-Provider ! guest_idp1
Require shib-attr Shib-Identity-Provider ! guest_idp2
</RequireAll>
The following one will always succeed, whatever the IdP used:
<RequireAny>
Require shibboleth
Require shib-attr Shib-Identity-Provider ! guest_idp1
Require shib-attr Shib-Identity-Provider ! guest_idp2
</RequireAny>
And it seems impossible to express the following logic:
- either no shibboleth session at all
- or a session, but not using any of the non-federated IdPs
<RequireAny>
Require ! shib-session
<RequireAll>
Require shib-session
Require shib-attr Shib-Identity-Provider ! guest_idp1
Require shib-attr Shib-Identity-Provider ! guest_idp2
</RequireAll>
</RequireAny>
This is unfortunaly not correct, as the first rule type doesn't support
negation.
Is there any solution here ?
Regards.
--
Guillaume Rousse
Pôle SSI
Tel: +33 1 53 94 20 45
www.renater.fr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3637 bytes
Desc: Signature cryptographique S/MIME
URL: <http://shibboleth.net/pipermail/users/attachments/20180814/c4a20301/attachment.p7s>
More information about the users
mailing list