I can't see how you can do what you're asking! You want a login event to fail in the event that certain directory attributes are set or a group membership value is/isnot there? I suppose you could write your own login handler to incorporate such code, but... And now I think about it that wouldn't work, if you were already authenticated in the session to another SP you would just get in to this one by SSO.
You can of course set up an attribute resolver that will not create any attributes for release to that particular SP in the event the conditions are/arenot met. (or do it in the filter). But you're saying this fails messily? I would have thought the onus should always be on the SP to reject access if its access conditions aren't met.
Cheers
Andy
> -----Original Message-----
> From: Discussion list for Shibboleth developments [mailto:JISC-
> [log in to unmask]] On Behalf Of Jon Warbrick
> Sent: 06 October 2014 11:56
> To: [log in to unmask]
> Subject: Imposing access control at the IdP end
>
> At least in the normal SAML 'e-journal' case, access control decisions are
> made at the SP end based on attributes supplied by the IdP. However I've
> now been asked to support an SP that (in effect) requires my IdP to make
> the access control decisions itself. Is this anything anyone else has come
> across? Anyone got a good way to support it?
>
> In more detail, the resource accepts any authentication made by my IdP.
> I'm required to supply some personalisation attributes (forename, surname,
> email address) but no entitlement information. The catch is that my IdP is
> capable of authenticating people who are not entitled to access this
> resource. Empirically I can omit the personalisation attributes for non-
> entitled people, in which case the authentication fails, but it fails messily so
> the user experience wouldn't be good. I'm not aware of any general way to
> abort a Shibboleth/SAML authentication request. Does anyone (preferably
> for the Shibboleth Consortium SAML software)?
>
> Ta.
>
> Jon.
>
> --
> Jon Warbrick
> Information Systems Manager, University of Cambridge Information Services
The University of Dundee is a registered Scottish Charity, No: SC015096
|