IdP Authorization Decisions

Mizushima, Marcus mmizushima at
Mon Feb 19 15:51:29 EST 2018

You can *if* authorization means not releasing attributes to the SP (which you seem to state in your post). Just add the requirements to your PolicyRequirementRule.

From: users [mailto:users-bounces at] On Behalf Of Michael Dahlberg
Sent: Monday, February 19, 2018 12:45 PM
To: Shib Users <users at>
Subject: IdP Authorization Decisions

I admit that I have not done much research on this because, in addition to the question, I'm not even sure how to search for the answer to this question.
My question is the following:  is it possible for the IdP to make authorization decisions?  What I mean by this is, once a user successfully authenticates and a collection of attributes is returned from the data store, is it possible for the IdP to return an assertion to the SP, or not, based on the value of one of these attributes?
I'm sure the answer to this question is somewhere in the Shibboleth wiki, I'm just not sure what to look for.  Any help will be appreciated

(tl;dr my specific use case for this is that our library has asked to deny access to the ILLIAD, inter-library loan, system to alumni.  From what I can tell, the SP for the ILLIAD system is not sophisticated enough to make these authorization decisions based on an attribute in our AD passed to it from an assertion provided by the IdP.  Therefore, any user that can authenticate against our AD, like alumni, can gain access to ILLIAD.  I'd like to either pass an assertion back to the SP if the user is faculty/staff/student, or nothing if alumni)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list