Open GoogleCodeExporter opened 9 years ago
This is not possible in the current version, but we have discussed both cases
internally. Mapping an attribute to a user class was the initial plan, but it
has been abandoned, since the data in the various IdPs were not very consistent
or properly regulated. It would not be hard to implement this though. Mapping
users to groups according to attributes was discussed a few months ago, but
there has not been a full technical analysis, yet. It could be done, but there
may exist unidentified technical or operational roadblocks ahead.
Original comment by past...@gmail.com
on 14 Oct 2010 at 10:24
Is there possibility to authorize user (allow/deny access to gss) based on
attribute value, after authentication? We would like to allow access for users
with some attribute value, and not everyone in our ldap.
Is there list of attributes shibboleth uses with gss, and how/when/where they
are used?
Regards,
Nikola
Original comment by ngara...@gmail.com
on 14 Oct 2010 at 11:19
See the Login class, from line 108 onwards:
http://code.google.com/p/gss/source/browse/src/gr/ebs/gss/server/Login.java#108
These are the attributes we retrieve from Shibboleth. Initially we were
planning to map user classes to the values of HTTP_SHIB_EP_UNSCOPEDAFFILIATION,
but we are no longer going that route. You may add code here to check any
attribute provided by Shibboleth and deny or grant access based on its value.
Original comment by past...@gmail.com
on 14 Oct 2010 at 12:19
Original issue reported on code.google.com by
ngara...@gmail.com
on 14 Oct 2010 at 8:09