Using the LdapRoleAuthorizationModule w/Shibboleth 2 IdP?

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Using the LdapRoleAuthorizationModule w/Shibboleth 2 IdP?

jsinclair
Using Shibboleth IdP 2 for Google SSO for email. Successfully authenticating users via the ShibUserPassAuth {edu.vt.middleware.ldap.jaas.LdapLoginModule} in login.config.

15:16:51.081 - INFO [edu.vt.middleware.ldap.Authenticator:297] - Authentication succeeded for user

After a successful Authn with username and password the user is currently redirected back to Google.
How can I authorize that the user is a member of the 'Email' group BEFORE redirecting back?

Can this be accomplished by stacking the JAAS modules like so?

ShibUserPassAuth {

// LdapLoginModule - JAAS module which provides authentication and authorization against a LDAP.

    edu.vt.middleware.ldap.jaas.LdapLoginModule required
       base="ou=users,dc=test,dc=com"
         host="myldap.server"
         port="389"
         serviceCredential=""
         serviceUser=""
         userField="uid"
         subtreeSearch="false";

 //LdapRoleAuthorizationModule - JAAS module which provides authorization against a LDAP.

    edu.vt.middleware.ldap.jaas.LdapRoleAuthorizationModule required
       useFirstPass="true"
       ldapUrl="ldap://myldap:389/cn=Email,ou=roles,dc=test,dc=com"
       roleFilter="(member={0})"
       roleAttribute="cn";  
   
};

Thanks,
Jon