ActivationConditions & ProfileInterceptConditions

Nanda Cairns amanada.cairns at
Sun Dec 9 14:24:09 EST 2018

I've been reading

I understand, me thinks, how to set ContextCheckPredicate for AND/OR if
within a group or attribute value.

I have a condition where I have to check OR on 2 different groups and 1
attribute value (only allow access if user is at least in one of these):

groupMembership regex="^(.*?)ou=employee,dc=example,dc=edu/>

groupMembership" regex="^(.*?)ou=staff,dc=example,dc=edu"/>

"Value" attributeID="eduPersonAffiliation" value="student"

Searching online, revealed previously similar questions:

Similar to poster above, I could create the flag in attribute-resolver.xml
based on the logic -- however, was trying to find if can find alternative.

Sample which works for single groupMembership is below --- being frank,
upon reading the javadocs and remaining befuddled, how could this be
expanded to 2 regex on groupMembership and 1 attribute value:

<bean id="ContextCheckPredicate" parent="shibboleth.Conditions.AND">



                 <bean parent="shibboleth.Conditions.RelyingPartyId"
c:candidate="" />

                 <bean class=



                         p:pattern="^(.*?)ou=foo,dc=example,dc=edu" />



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list