Flow-Intercept-Allowed-Beans

John C. Pfeifer pfeifer at umd.edu
Tue Apr 9 16:03:52 EDT 2019


I do all of the work in a scripted attribute definition in attribute-resolver.xml.  My context intercept is then a trivial check of that attribute having any values (no values == denied).

An additional advantage is that the resolver is reloadable whereas the intercept is not.

> On Apr 9, 2019, at 3:49 PM, Joshua Brodie <josbrodie at gmail.com> wrote:
> 
> Hi List.
> 
> This has been stumping me, and wondering if any can guide me through my mental fog.
> 
> We have the following condition to allow access to an SP -- the IdP intercepts is condition is not met and present a message to say access denied.
> 
> How do I add an additional 'OR' condition for groupMembership? I.e. allow access if in eduPersonAffiliation (with values in list below) OR if member in a groupMembership?
> 
> 
> <bean id="ContextCheckPredicate" parent="shibboleth.Conditions.AND">
>         <constructor-arg>
>              <list>
>                  <bean parent="shibboleth.Conditions.RelyingPartyId" c:candidates="#{{'http://www.sp.example.com/sp'}}" />
>                  <bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate"
>                          p:useUnfilteredAttributes="true">
>                           <property name="attributeValueMap">
>                         <map>
>                             <entry key="eduPersonAffiliation">
>                                 <list>
>                                     <value>faculty</value>
>                                     <value>staff</value>
>                                     <value>guest</value>
>                                 </list>
>                             </entry>
>                         </map>
>                     </property>
>                     </bean>
>              </list>
> 		</constructor-arg> 
>     </bean>
> -- 
> For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net


//
John Pfeifer
Division of Information Technology
University of Maryland, College Park



More information about the users mailing list