AccessControlConfiguration - Multiple Conditions?
Lille M
lillemacdoe at gmail.com
Tue Apr 30 19:23:24 EDT 2019
Hi Scott:
Thank you :)
I have AccessByUser working for all (while keeping the Status check by IP
Address)-- running into a roadblock with AccessByAttribute.
I have the groupMembership value 'obfuscated' --- receiving access denied
messaging when attempting resolvertest, reload-service-configuration etc.
Have I missed anything obvious?
*1 - admin/general-admin.xml*
<util:list id="shibboleth.AvailableAdminFlows">
<!-- Status Page -->
<bean parent="shibboleth.AdminFlow"
c:id="http://shibboleth.net/ns/profiles/status"
p:loggingId="%{idp.service.logging.status:Status}"
p:policyName="%{idp.status.accessPolicy:AccessByIPAddress}" />
<!-- Service Reload -->
<bean parent="shibboleth.AdminFlow"
c:id="
http://shibboleth.net/ns/profiles/reload-service-configuration"
p:authenticated="true"
p:loggingId="%{idp.service.logging.serviceReload:Reload}"
p:policyName="%{idp.reload.accessPolicy:AccessByAttribute}" />
<!-- MetadataResolver Reload -->
<bean parent="shibboleth.AdminFlow"
c:id="http://shibboleth.net/ns/profiles/reload-metadata"
p:authenticated="true"
p:loggingId="%{idp.service.logging.serviceReload:Reload}"
p:policyName="%{idp.reload.accessPolicy:AccessByAttribute}" />
<!-- AttributeResolver Debugging -->
<bean parent="shibboleth.AdminFlow"
c:id="http://shibboleth.net/ns/profiles/resolvertest"
p:authenticated="true"
p:loggingId="%{idp.service.logging.resolvertest:ResolverTest}"
p:policyName="%{idp.resolvertest.accessPolicy:AccessByAttribute}" />
<!-- REST StorageService Access -->
<bean parent="shibboleth.AdminFlow"
c:id="http://shibboleth.net/ns/profiles/storage"
p:authenticated="true"
p:loggingId="Storage"
p:policyName="AccessByAttribute" />
<!-- REST Interface to Metrics -->
<bean parent="shibboleth.AdminFlow"
c:id="http://shibboleth.net/ns/profiles/metrics"
p:loggingId="Metrics"
p:policyNameLookupStrategy-ref="shibboleth.metrics.AccessPolicyStrategy" />
</util:list>
*2 - access-control.xml*
<util:map id="shibboleth.AccessControlPolicies">
<entry key="AccessByIPAddress">
<bean id="AccessByIPAddress"
parent="shibboleth.IPRangeAccessControl"
p:allowedRanges="#{ {'127.0.0.1/32', '::1/128'} }" />
</entry>
<entry key="AccessByUser">
<bean parent="shibboleth.PredicateAccessControl">
<constructor-arg>
<bean parent="shibboleth.Conditions.SubjectName"
c:collection="#{'lille'}" />
</constructor-arg>
</bean>
</entry>
<entry key="AccessByAttribute">
<bean parent="shibboleth.PredicateAccessControl">
<constructor-arg>
<bean
class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate">
<property name="attributeValueMap">
<map>
<entry key="groupMember">
<list>
<value>obfuscated</value>
</list>
</entry>
</map>
</property>
</bean>
</constructor-arg>
</bean>
</entry>
</util:map>
On Mon, Apr 29, 2019 at 4:51 PM Cantor, Scott <cantor.2 at osu.edu> wrote:
> > How do I configure for authenticated access to admin functions (beyond
> > uncommenting AccessByUser or AccessByAttribute)?
>
> Authentication can be added in general-admin.xml, the flow descriptor
> beans have an "authenticated" property to control that. One or two of them
> already are marked that way.
>
> > Is it possible to restrict access by either conditions matched:
> > AccessByIPAddress or AccessByUser or AccessByAttribute?
>
> They're (wrappers around) Predicates, you can do anything you want. Those
> are examples, nothing more.
>
> -- Scott
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190430/c8458c96/attachment.html>
More information about the users
mailing list