Blocking access for an individual user to a specific SP

Losen, Stephen C (scl) scl at
Wed Sep 26 06:23:34 EDT 2018

Hi Mark,

Another approach that might be easier for you.  What happens if the SP does not receive attributes that identify the user?  If it blocks access then you could withhold attributes to effectively block the user.  You might do the following in conf/attribute-filter.xml:

<AttributeFilterPolicy id="AFP-XXX">
        <PolicyRequirementRule xsi:type="Requester"
            value="" />
        <AttributeRule attributeID="eduPersonPrincipalName">
            <PermitValueRule xsi:type="ANY" />

        <!-- add this to block eduPersonPrincipalName -->

        <AttributeRule attributeID="eduPersonPrincipalName">
            <DenyValueRule xsi:type="Value"
               value="blocked-user at" />

A DenyValueRule overrides any PermitValueRule.

Of course this only works if the SP denies access when it does not receive the attributes that you block.

Stephen C. Losen
ITS - Systems and Storage
University of Virginia
scl at    434-924-0640

-----Original Message-----
From: users [mailto:users-bounces at] On Behalf Of Mark Cairney
Sent: Wednesday, September 26, 2018 4:12 AM
To: users at
Subject: Re: Blocking access for an individual user to a specific SP

Hi Scott,

Thanks for this. It looks a bit more complex to set up than I'd hoped
and isn't something we could just push into production.

It does look like it might be worth investigating as adding as a service
improvement, probably once 3.4 comes out.

Kind regards,

On 25/09/18 18:22, Cantor, Scott wrote:
> On 9/25/18, 12:47 PM, "users on behalf of Mark Cairney" <users-bounces at on behalf of Mark.Cairney at> wrote:
>> Is it possible to block a user from accessing a particular resource?
> -- Scott


Mark Cairney
ITI Enterprise Services
Information Services
University of Edinburgh

Tel: 0131 650 6565
Email: Mark.Cairney at
PGP: 0x435A9621


The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list