Hello all,
by using the Shibboleth Attribute Filter [0] we could successfully test
some basic authorization rules.
So first we added another attribute (in this case:
eduPersonAffiliation), which is returned by the RADIUS server to the SP
(we've tested this with SAML-Assertions hardcoded into post-auth
replies, both from freeradius and radiator):
<saml:Assertion
...
<saml:AttributeStatement>
...
<saml:Attribute
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1">
<saml:AttributeValue>
employee
</saml:AttributeValue>
</saml:Attribute>
...
</saml:AttributeStatement>
</saml:Assertion>
(just reformatted for increased readibility)
Then we replaced the AttributeFilterPolicy
within /etc/shibboleth/attribute-policy.xml with the following, which
basically says: allow the local-login-user attribute only if attribute
unscoped-affiliation has value student or employee:
<afp:AttributeFilterPolicyGroup
...
<afp:AttributeFilterPolicy>
<!-- IF -->
<afp:PolicyRequirementRule xsi:type="basic:OR">
<basic:Rule
xsi:type="basic:AttributeValueString"
attributeID="unscoped-affiliation"
value="student" />
<basic:Rule
xsi:type="basic:AttributeValueString"
attributeID="unscoped-affiliation"
value="employee" />
</afp:PolicyRequirementRule>
<!-- Then allow local-login-user -->
<afp:AttributeRule
attributeID="local-login-user">
<afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
</afp:AttributeFilterPolicy>
</afp:AttributeFilterPolicyGroup>
This is just a very simple rule, but it provides a working example: The
SSH-Login succeeds if the attribute eduPersonAffiliation has the value
"student" or "employee", but it fails whenever it is "guest", "alum",
"monkey", or whatever.
Thanks to Rhys and Josh for helping out on this!
Daniel
[0]
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeFilter
|