ActivationConditions & ProfileInterceptConditions
Nanda Cairns
amanada.cairns at gmail.com
Sun Dec 9 14:24:09 EST 2018
I've been reading
https://wiki.shibboleth.net/confluence/display/IDP30/ActivationConditions
I understand, me thinks, how to set ContextCheckPredicate for AND/OR if
within a group or attribute value.
I have a condition where I have to check OR on 2 different groups and 1
attribute value (only allow access if user is at least in one of these):
groupMembership regex="^(.*?)ou=employee,dc=example,dc=edu/>
groupMembership" regex="^(.*?)ou=staff,dc=example,dc=edu"/>
"Value" attributeID="eduPersonAffiliation" value="student"
Searching online, revealed previously similar questions:
http://shibboleth.1660669.n2.nabble.com/SP-Authorization-via-ContextCheckPredicate-td7634075.html
http://shibboleth.1660669.n2.nabble.com/Handling-New-User-Memberships-td7633038.html
Similar to poster above, I could create the flag in attribute-resolver.xml
based on the logic -- however, was trying to find if can find alternative.
Sample which works for single groupMembership is below --- being frank,
upon reading the javadocs and remaining befuddled, how could this be
expanded to 2 regex on groupMembership and 1 attribute value:
<bean id="ContextCheckPredicate" parent="shibboleth.Conditions.AND">
<constructor-arg>
<list>
<bean parent="shibboleth.Conditions.RelyingPartyId"
c:candidate="sp.example.edu" />
<bean class=
"net.shibboleth.idp.profile.logic.RegexAttributePredicate"
p:useUnfilteredAttributes="true"
p:attributeId="groupMembership"
p:pattern="^(.*?)ou=foo,dc=example,dc=edu" />
</list>
</constructor-arg>
</bean>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20181209/9d12676e/attachment.html>
More information about the users
mailing list