ActivationConditions & ProfileInterceptConditions

Nanda Cairns amanada.cairns at gmail.com
Mon Dec 10 17:26:34 EST 2018 

Thank you...it gave me confidence.This is beyond my realm of familiarity.
Sincere apologies for the newbie configuration questions.

I have been experimenting, and came up with following. There were no syntax
errors, which were initial battles, but the condition appears to allow all
accounts through even if having none of the pattern/value (I made sure
there is the p:postAuthenticationFlows correctly set). Could anyone point
me where I could have gone wrong? Thank you.

<bean id="ContextCheckPredicate" parent="shibboleth.Conditions.OR">
        <constructor-arg>
             <list>
                 <bean parent="shibboleth.Conditions.RelyingPartyId"
c:candidate="sp.example.edu" />
                 <bean
class="net.shibboleth.idp.profile.logic.RegexAttributePredicate"
                         p:useUnfilteredAttributes="true"
                         p:attributeId="groupMembership"
                         p:pattern="^(.*?)ou=employee,dc=example,dc=edu" />
                 <bean
class="net.shibboleth.idp.profile.logic.RegexAttributePredicate"
                         p:useUnfilteredAttributes="true"
                         p:attributeId="groupMembership"
                         p:pattern="^(.*?)ou=staff,dc=example,dc=edu" />
                 <bean
class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate"
                         p:useUnfilteredAttributes="true"
                         <property name="attributeValueMap">
                         <map>
                            <entry key="eduPersonAffiliation">
                                <list>
                                    <value>student</value>
                                </list>
                            </entry>
                         </map>
                    </property>
                         </bean>
             </list>
        </constructor-arg>
    </bean>

On Mon, Dec 10, 2018 at 6:11 AM Cantor, Scott <cantor.2 at osu.edu> wrote:

> On 12/9/18, 2:24 PM, "users on behalf of Nanda Cairns" <
> users-bounces at shibboleth.net on behalf of amanada.cairns at gmail.com> wrote:
>
> > I have a condition where I have to check OR on 2 different groups and 1
> attribute value (only allow access if user is at
> > least in one of these):
>
> Then do all three wrapped in an shibboleth.Conditions.OR bean.
>
> -- Scott
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20181210/d9d115db/attachment.html>

More information about the users mailing list