persistent nameID activation conditions for Slack Plus

[Liam Hoekenga]

We're in the process of onboarding multiple instances of Slack Plus.

Each instance of slack will have an associated directory group for
authorization.  Users in the group will have attributes released.  Users
not in the group will have attributes withheld.

We've since found out that if a user has been provisioned into Slack, they
can still access Slack as long as their nameID Is being released.
Attributes are required for JIT provisioning, but not subsequent access.

I need to conditionally deny nameID based on whether a user is in the
authorization group for the slack instance being accessed.  This feels like
it would be the same (or very similar logic) that will be used to decide
whether we should release attributes for said user / slack instance.  I
think this is going to have to be scripted.

Will it be possible to use the same script as an activation condition for
nameID generation and attribute release?  I only see reference to
inlineScript (instead of the "script" vs "scriptFile" stuff you see fo
attribute definition).  Could I point at the same bean definition in other
file that gets loaded via services.xml?

Liam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20181205/32d4020e/attachment.html>