Andy's right; the SP should take care of the authorisation based on the
value of attributes released, and if necessary provide an
eduPersonEntitlement value to facilitate this, not require the IdP to
compute the user's entitlement to access the service and withhold or
release attributes accordingly.
Jon, is this a UK federation SP, and if so, are you able to tell us
which SP it is, please? If not on the mailing list then in a private email?
Thanks,
Sara
UK federation technical team
On 06/10/2014 14:47, Andy Swiffin wrote:
> I can't see how you can do what you're asking! You want a login
> event to fail in the event that certain directory attributes are set
> or a group membership value is/isnot there? I suppose you could
> write your own login handler to incorporate such code, but... And
> now I think about it that wouldn't work, if you were already
> authenticated in the session to another SP you would just get in to
> this one by SSO.
>
> You can of course set up an attribute resolver that will not create
> any attributes for release to that particular SP in the event the
> conditions are/arenot met. (or do it in the filter). But you're
> saying this fails messily? I would have thought the onus should
> always be on the SP to reject access if its access conditions aren't
> met.
>
> Cheers Andy
>
>
>> -----Original Message----- From: Discussion list for Shibboleth
>> developments [mailto:JISC- [log in to unmask]] On Behalf Of
>> Jon Warbrick Sent: 06 October 2014 11:56 To:
>> [log in to unmask] Subject: Imposing access control at
>> the IdP end
>>
>> At least in the normal SAML 'e-journal' case, access control
>> decisions are made at the SP end based on attributes supplied by
>> the IdP. However I've now been asked to support an SP that (in
>> effect) requires my IdP to make the access control decisions
>> itself. Is this anything anyone else has come across? Anyone got a
>> good way to support it?
>>
>> In more detail, the resource accepts any authentication made by my
>> IdP. I'm required to supply some personalisation attributes
>> (forename, surname, email address) but no entitlement information.
>> The catch is that my IdP is capable of authenticating people who
>> are not entitled to access this resource. Empirically I can omit
>> the personalisation attributes for non- entitled people, in which
>> case the authentication fails, but it fails messily so the user
>> experience wouldn't be good. I'm not aware of any general way to
>> abort a Shibboleth/SAML authentication request. Does anyone
>> (preferably for the Shibboleth Consortium SAML software)?
>>
>> Ta.
>>
>> Jon.
>>
>> -- Jon Warbrick Information Systems Manager, University of
>> Cambridge Information Services
>
> The University of Dundee is a registered Scottish Charity, No:
> SC015096
>
--
Sara Hopkins
Support Team
UK Access Management Federation for Education and Research
web: http://www.ukfederation.org.uk/
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
|