On Mon, 6 Oct 2014, Andy Swiffin wrote:
> I can't see how you can do what you're asking! You want a login event
> to fail in the event that certain directory attributes are set or a
> group membership value is/isnot there?
Essentially, yes.
> I suppose you could write your
> own login handler to incorporate such code, but... And now I think
> about it that wouldn't work, if you were already authenticated in the
> session to another SP you would just get in to this one by SSO.
>
> You can of course set up an attribute resolver that will not create any
> attributes for release to that particular SP in the event the conditions
> are/arenot met. (or do it in the filter). But you're saying this fails
> messily?
Yes - a page saying "Error - Single Sign-On. Single sign-on was
unsuccessfull (reference <foo>). Please contact your technology services
team for asistance". which doesn't really convey "You are not entitled to
acess".
> I would have thought the onus should always be on the SP to
> reject access if its access conditions aren't met.
I had thought that, and it's the way that UK federation sites typically
work. But on further consideration it doesn't seem entirely unreasonable
for the SP to want us to simply not refer people to them at all if they
aren't entitled.
On Mon, 6 Oct 2014, Sara Hopkins wrote:
> Andy's right; the SP should take care of the authorisation based on the value
> of attributes released, and if necessary provide an eduPersonEntitlement
> value to facilitate this, not require the IdP to compute the user's
> entitlement to access the service and withhold or release attributes
> accordingly.
>
> Jon, is this a UK federation SP, and if so, are you able to tell us which SP
> it is, please? If not on the mailing list then in a private email?
No, this isn't a UK federation SP.
Jon.
--
Jon Warbrick
Information Systems Manager, University of Cambridge Information Services
|