Blocking access for an individual user to a specific SP
Losen, Stephen C (scl)
scl at virginia.edu
Wed Sep 26 06:23:34 EDT 2018
Another approach that might be easier for you. What happens if the SP does not receive attributes that identify the user? If it blocks access then you could withhold attributes to effectively block the user. You might do the following in conf/attribute-filter.xml:
<PermitValueRule xsi:type="ANY" />
<!-- add this to block eduPersonPrincipalName -->
value="blocked-user at example.org" />
A DenyValueRule overrides any PermitValueRule.
Of course this only works if the SP denies access when it does not receive the attributes that you block.
Stephen C. Losen
ITS - Systems and Storage
University of Virginia
scl at virginia.edu 434-924-0640
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Mark Cairney
Sent: Wednesday, September 26, 2018 4:12 AM
To: users at shibboleth.net
Subject: Re: Blocking access for an individual user to a specific SP
Thanks for this. It looks a bit more complex to set up than I'd hoped
and isn't something we could just push into production.
It does look like it might be worth investigating as adding as a service
improvement, probably once 3.4 comes out.
On 25/09/18 18:22, Cantor, Scott wrote:
> On 9/25/18, 12:47 PM, "users on behalf of Mark Cairney" <users-bounces at shibboleth.net on behalf of Mark.Cairney at ed.ac.uk> wrote:
>> Is it possible to block a user from accessing a particular resource?
> -- Scott
ITI Enterprise Services
University of Edinburgh
Tel: 0131 650 6565
Email: Mark.Cairney at ed.ac.uk
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users