purepennons / gss

Automatically exported from code.google.com/p/gss
Other
0 stars 0 forks source link

mapping users to group or user class #46

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Is there possibility to map users by their attributes, for example map them to 
group or user class?

We have few attributes in ldap that could be used for this purpose, so I am 
asking if it can be done.

Regards,
Nikola

Original issue reported on code.google.com by ngara...@gmail.com on 14 Oct 2010 at 8:09

GoogleCodeExporter commented 9 years ago
This is not possible in the current version, but we have discussed both cases 
internally. Mapping an attribute to a user class was the initial plan, but it 
has been abandoned, since the data in the various IdPs were not very consistent 
or properly regulated. It would not be hard to implement this though. Mapping 
users to groups according to attributes was discussed a few months ago, but 
there has not been a full technical analysis, yet. It could be done, but there 
may exist unidentified technical or operational roadblocks ahead.

Original comment by past...@gmail.com on 14 Oct 2010 at 10:24

GoogleCodeExporter commented 9 years ago
Is there possibility to authorize user (allow/deny access to gss) based on 
attribute value, after authentication? We would like to allow access for users 
with some attribute value, and not everyone in our ldap. 

Is there list of attributes shibboleth uses with gss, and how/when/where they 
are used?

Regards,
Nikola

Original comment by ngara...@gmail.com on 14 Oct 2010 at 11:19

GoogleCodeExporter commented 9 years ago
See the Login class, from line 108 onwards:

http://code.google.com/p/gss/source/browse/src/gr/ebs/gss/server/Login.java#108

These are the attributes we retrieve from Shibboleth. Initially we were 
planning to map user classes to the values of HTTP_SHIB_EP_UNSCOPEDAFFILIATION, 
but we are no longer going that route. You may add code here to check any 
attribute provided by Shibboleth and deny or grant access based on its value. 

Original comment by past...@gmail.com on 14 Oct 2010 at 12:19