GitHub access control

Peter Schober peter.schober at
Wed Jul 15 18:11:43 UTC 2020

* Schwendner, Joanne <joanne_schwendner at> [2020-07-15 20:03]:
> It seems the only attribute GitHub cares about is NameID.  We are currently
> passing our persistent ID in NameID.  If it's there, they get in. To block
> access for a user, we would have to NOT send NameID in the assertion, if
> that's even possible.
> Is it possible to conditionally NOT send NameID depending on a user's other
> attributes?

>From a comment in conf/saml-nameid.xml of my IDPv3 install:

  These generator lists handle NameID/Nameidentifier generation going
  forward. By default, transient IDs for both SAML versions are
  enabled. The commented examples are for persistent IDs and
  generating more one-off formats based on resolved attributes. The
  suggested approach is to control their use via release of the
  underlying source attribute in the filter policy rather than here,
  but you can set a property on any generator called
  "activationCondition" to limit use in the most generic way.

Since persistent NameIDs are not based on released attributes (also
releasing the source data would undermine the pseudonymization
persistent NameIDs provide) you can't not release them in the filter
(as suggested above and works fine for AttributeSourced NameIDs), so I
think 'activationCondition' is the way to go, here.

I don't have an example handy where you'd block the
SAML2PersistentGenerator based on the value some resolved attribute
but if others have that it would make a good addition to the wiki
(hint, hint).


More information about the users mailing list