IdP Authorization Decisions

Michael Dahlberg olgamirth at
Mon Feb 19 15:45:13 EST 2018

I admit that I have not done much research on this because, in addition to
the question, I'm not even sure how to search for the answer to this

My question is the following:  is it possible for the IdP to make
authorization decisions?  What I mean by this is, once a user successfully
authenticates and a collection of attributes is returned from the data
store, is it possible for the IdP to return an assertion to the SP, or not,
based on the value of one of these attributes?

I'm sure the answer to this question is somewhere in the Shibboleth wiki,
I'm just not sure what to look for.  Any help will be appreciated

(tl;dr my specific use case for this is that our library has asked to deny
access to the ILLIAD, inter-library loan, system to alumni.  From what I
can tell, the SP for the ILLIAD system is not sophisticated enough to make
these authorization decisions based on an attribute in our AD passed to it
from an assertion provided by the IdP.  Therefore, any user that can
authenticate against our AD, like alumni, can gain access to ILLIAD.  I'd
like to either pass an assertion back to the SP if the user is
faculty/staff/student, or nothing if alumni)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list