phavekes
commented
1 month ago We discussed this (June 13th, 2016) with Bas Z & Thijs K. 3 possible solutions were discussed. One uses the PDP, but if we want to do it via the PDP, we need to be able to set global rules (if "pre-student"...) which currently is not an option in the UI (probably XACML would allow it, so the UI would need to be changed). The 2nd option is a rule in EB: when "pre-student" is a value of affiliation and SR says the SP allows pre-students, pre-students get access, and in other cases access is blocked. This would need an extra option in SR and some code changes in EB. The 3rd option is using Attribute Manipulation: this is the easiest option for the short term. So we go with that, until it seems necessary to change that. (Raoul Teeuwen - Jun 13, 2016)
This issue is imported from pivotal - Originaly created at Jun 6, 2016 by Raoul Teeuwen
As an institution I want to deny access to ‘pre-students’ by default. I want to be able to specify some services that a ‘pre-student’ may access.
‘pre-students’ can be identified by the eduPersonAffiliation value.
Since we expect more values for which we want this behaviour, instead of doing this for just pre-students, we want to be able to specify for which values for eduPersonAffiliation the default authorization policy is reversed. I.e., if a login is detected for a user with one of these attribute values, it should DENY access (unless an ALLOW PDP rule is defined).
Example: we want to allow pre-students (and maybe others later) in SURFconext. The plan is to by default block IDs access to an SP when they have eduPersonAffiliation value "pre-student", unless an Authz rule exists granting this category access to the SP.
The coin:policy_decision_required should then also be enabled for IdPs.