ActivationConditions & ProfileInterceptConditions

[Cantor, Scott]

On 12/10/18, 5:27 PM, "users on behalf of Nanda Cairns" <users-bounces at shibboleth.net on behalf of amanada.cairns at gmail.com> wrote:

> I have been experimenting, and came up with following. There were no syntax errors, which were initial battles, but
> the condition appears to allow all accounts through even if having none of the pattern/value

You put the SP identity check inside the OR. That means it's the only check it bothers with, that short circuits the rest of the rule for that one SP and would only enforce the attribute checks for all others.

If the rule here is only active for requests to that SP, there's no reason to mention the SP at all in the rule. If you're trying to build a common rule for all SPs, then I think you have this backwards and you would have to say something equivalent to "OR ( NOT (requester is <example>), OR (the various checks for the example SP case) )"

I think you need to get your head away from Spring and figure out what it is you want it to actually check and then built it up from the inside out. Write it out in normal infix notation and then convert it to prefix notation with parentheses and then the translation to Spring is largely mechanical.

-- Scott