Shibboleth idp4 and authorization only to some Windows AD group.

Josef Karliak karliak at fnhk.cz
Thu Mar 4 13:49:03 UTC 2021


Good afternoon, 

that v2 configuration allowed only users that are in the group
''IDP_Group" authorize to our idp when they're accessing to some/anyone
SP. We wanted only some users to authorize, not all users in our windows
AD. 

Thanks and best regards 

J.Karliak 

---
Bc. Josef Karliak 
Správa sítě a elektronické pošty
Fakultní nemocnice Hradec Králové
Odbor výpočetních systémů
Sokolská 581, 500 05 Hradec Králové
Tel.: +420 495 833 931, Mob.: +420 724 235 654
e-mail: josef.karliak at fnhk.cz, http://www.fnhk.cz  
XMPP/Jabber : chosinek at jabb.im 

Dne 2021-03-04 14:38, Peter Schober napsal:

> * Josef Karliak via users <users at shibboleth.net> [2021-03-04 07:38]: 
> 
>> on old shibboleth idp2 we used to allow users only in some Windows AD
>> group to authorize, is it able too in shibboleth idp 4 ?
>> 
>> On v2 :
>> 
>> authorizationFilter="(memberOf=CN=IDP_Group,CN=Users,DC=domain,DC=local)"
> 
> I can't remember what that setting did.
> What exactly do you mean with "authorize" users to your IDP?
> Supplying an LDAP search filter that prevents any NOT matching the
> filter from using the IDP?
> 
> Or is this in relation to a specific set of SPs (i.e., you'd want to
> prevent the non-matching subjects from accessing those SPs but can
> access anything else as far as your IDP is concerned)?
> 
> For the former it's idp.authn.LDAP.userFilter in conf/ldap.properties
> 
> Documentation for that can be found via
> IDP4 wiki home page -> Configuration -> Authentication -> Password -> LDAP:
> https://wiki.shibboleth.net/confluence/display/IDP4/Configuration
> https://wiki.shibboleth.net/confluence/display/IDP4/AuthenticationConfiguration
> https://wiki.shibboleth.net/confluence/display/IDP4/PasswordAuthnConfiguration
> https://wiki.shibboleth.net/confluence/display/IDP4/LDAPAuthnConfiguration
> 
> -peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210304/4041bb49/attachment.htm>


More information about the users mailing list