Restricting access to a Service Provider on the IdP side

[Cantor, Scott]

>    we need to restrict access to an SP on IdP-Side. I found a thread from
>   5 years ago[1]. So far so good, but what it does not explain is how to
>    wire the bean into the relying-party.xml.

Probably because that isn't how it works I guess.

https://wiki.shibboleth.net/confluence/display/IDP4/ContextCheckInterceptConfiguration

There is nothing to "wire into relying-party.xml" unless you're trying to do something fancy with metadata to control the settings and not just switching over to metadata-driven settings for everything.

The best way to do this is to define generic attribute(s) in the resolver that signal whether to allow access, and use a SimpleAttributePredicate in the interceptor function to detect what to do. That makes all the logic reloadable.

-- Scott