GitHub access control
Peter Schober
peter.schober at univie.ac.at
Wed Jul 15 18:11:43 UTC 2020
* Schwendner, Joanne <joanne_schwendner at brown.edu> [2020-07-15 20:03]:
> It seems the only attribute GitHub cares about is NameID. We are currently
> passing our persistent ID in NameID. If it's there, they get in. To block
> access for a user, we would have to NOT send NameID in the assertion, if
> that's even possible.
>
> Is it possible to conditionally NOT send NameID depending on a user's other
> attributes?
>From a comment in conf/saml-nameid.xml of my IDPv3 install:
These generator lists handle NameID/Nameidentifier generation going
forward. By default, transient IDs for both SAML versions are
enabled. The commented examples are for persistent IDs and
generating more one-off formats based on resolved attributes. The
suggested approach is to control their use via release of the
underlying source attribute in the filter policy rather than here,
but you can set a property on any generator called
"activationCondition" to limit use in the most generic way.
Since persistent NameIDs are not based on released attributes (also
releasing the source data would undermine the pseudonymization
persistent NameIDs provide) you can't not release them in the filter
(as suggested above and works fine for AttributeSourced NameIDs), so I
think 'activationCondition' is the way to go, here.
I don't have an example handy where you'd block the
SAML2PersistentGenerator based on the value some resolved attribute
but if others have that it would make a good addition to the wiki
(hint, hint).
-peter
More information about the users
mailing list