Blocking access for an individual user to a specific SP

Losen, Stephen C (scl) scl at virginia.edu
Wed Sep 26 06:23:34 EDT 2018 

Hi Mark,

Another approach that might be easier for you.  What happens if the SP does not receive attributes that identify the user?  If it blocks access then you could withhold attributes to effectively block the user.  You might do the following in conf/attribute-filter.xml:

<AttributeFilterPolicy id="AFP-XXX">
        <PolicyRequirementRule xsi:type="Requester"
            value="https://sp.example.org/shibboleth" />
        <AttributeRule attributeID="eduPersonPrincipalName">
            <PermitValueRule xsi:type="ANY" />
        </AttributeRule>

        <!-- add this to block eduPersonPrincipalName -->

        <AttributeRule attributeID="eduPersonPrincipalName">
            <DenyValueRule xsi:type="Value"
               value="blocked-user at example.org" />
        </AttributeRule>
         
</AttributeFilterPolicy>

A DenyValueRule overrides any PermitValueRule.

Of course this only works if the SP denies access when it does not receive the attributes that you block.

Stephen C. Losen
ITS - Systems and Storage
University of Virginia
scl at virginia.edu    434-924-0640


-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Mark Cairney
Sent: Wednesday, September 26, 2018 4:12 AM
To: users at shibboleth.net
Subject: Re: Blocking access for an individual user to a specific SP

Hi Scott,

Thanks for this. It looks a bit more complex to set up than I'd hoped
and isn't something we could just push into production.


It does look like it might be worth investigating as adding as a service
improvement, probably once 3.4 comes out.

Kind regards,
Mark


On 25/09/18 18:22, Cantor, Scott wrote:
> On 9/25/18, 12:47 PM, "users on behalf of Mark Cairney" <users-bounces at shibboleth.net on behalf of Mark.Cairney at ed.ac.uk> wrote:
> 
>> Is it possible to block a user from accessing a particular resource?
> 
> https://wiki.shibboleth.net/confluence/display/IDP30/ContextCheckInterceptConfiguration
> 
> -- Scott
> 
> 

-- 
/****************************

Mark Cairney
ITI Enterprise Services
Information Services
University of Edinburgh

Tel: 0131 650 6565
Email: Mark.Cairney at ed.ac.uk
PGP: 0x435A9621

*******************************/

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list