Flow-Intercept-Allowed-Beans

Martin Lunze martin.lunze at tu-dresden.de
Wed Apr 10 00:56:09 EDT 2019 

Hi Joshua,

here is an example from my idp combining multiple conditions:

> <beanid="login-proceed"parent="shibboleth.Conditions.OR">
> <constructor-arg>
> <list>
> <refbean="SP-is-local"/>
> <refbean="SP-allow-functional-user"/>
> <beanparent="shibboleth.Conditions.NOT">
> <constructor-arg>
> <list>
> <refbean="user-is-functional"/>
> </list>
> </constructor-arg>
> </bean>
> </list>
> </constructor-arg>
> </bean>

You just have to add '<beanparent="shibboleth.Conditions.OR">' after 
your RelyingPartyId condition and then you can add mutliple 
SimpleAttributePredicates.

With nice regards.

Martin

Am 09.04.19 um 21:49 schrieb Joshua Brodie:
> Hi List.
>
> This has been stumping me, and wondering if any can guide me through 
> my mental fog.
>
> We have the following condition to allow access to an SP -- the IdP 
> intercepts is condition is not met and present a message to say access 
> denied.
>
> How do I add an additional 'OR' condition for groupMembership? I.e. 
> allow access if in eduPersonAffiliation (with values in list below) OR 
> if member in a groupMembership?
>
>
> <bean id="ContextCheckPredicate" parent="shibboleth.Conditions.AND">
>         <constructor-arg>
>              <list>
>                  <bean parent="shibboleth.Conditions.RelyingPartyId" 
> c:candidates="#{{'http://www.sp.example.com/sp'}}" />
>                  <bean 
> class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate"
>  p:useUnfilteredAttributes="true">
>                           <property name="attributeValueMap">
>                         <map>
>                             <entry key="eduPersonAffiliation">
>                                 <list>
> <value>faculty</value>
> <value>staff</value>
> <value>guest</value>
>                                 </list>
>                             </entry>
>                         </map>
>                     </property>
>                     </bean>
>              </list>
> </constructor-arg>
>     </bean>
>
-- 
Martin Lunze
IT-Systemadministrator

Technische Universität Dresden
Zentrum für Informationsdienste und Hochleistungsrechnen (ZIH)
Operative Prozesse und Systeme (OPS)
01062 Dresden

Tel.: +49 (351) 463-35881
E-Mail: martin.lunze at tu-dresden.de

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190410/6857ea5a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5742 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://shibboleth.net/pipermail/users/attachments/20190410/6857ea5a/attachment.p7s>

More information about the users mailing list