force login failure based on attribute value

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

force login failure based on attribute value

Juan Padilla

Is there a way to add logic in attribute-resolver (or other method) to not send the user back to the SP on successful login if an attribute is a certain value?

 

For example, if user is not part of an ldap group then send to an error page instead of the service provider.

 

Thanks.


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

smime.p7s (13K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: force login failure based on attribute value

Klingenstein, Nate

Juan,


Yes, it's possible.  The easiest way is to write a ContextCheckIntercept with a check for that attribute with that value exposed by the attribute resolver.


https://wiki.shibboleth.net/confluence/display/IDP30/ContextCheckInterceptConfiguration


The example configuration should be directly helpful for you.

Hope this helps too,

Nate.


From: users <[hidden email]> on behalf of Juan Padilla <[hidden email]>
Sent: Wednesday, June 13, 2018 12:56:16 PM
To: [hidden email]
Subject: force login failure based on attribute value
 

Is there a way to add logic in attribute-resolver (or other method) to not send the user back to the SP on successful login if an attribute is a certain value?

 

For example, if user is not part of an ldap group then send to an error page instead of the service provider.

 

Thanks.


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: force login failure based on attribute value

Cameron Kerr
In reply to this post by Juan Padilla

The concept you are looking for is called a Context Check Intercept

 

You should be able to find sufficient info on that on the wiki; just pay close attention to the details.

 

I’m using this to limit what type of users can go to _some_ SPs. I actually have a number of context-checks (eg. to check if users are permitted to consume library resources, or if users are from a specific campus). My deployment is entirely scripted and templated, so its easy for me to add more context-checks; otherwise it is best to limit the number you use (for sake of complexity)

 

Hope that helps,

Cameron

 

From: users <[hidden email]> On Behalf Of Juan Padilla
Sent: Thursday, 14 June 2018 7:56 AM
To: [hidden email]
Subject: force login failure based on attribute value

 

Is there a way to add logic in attribute-resolver (or other method) to not send the user back to the SP on successful login if an attribute is a certain value?

 

For example, if user is not part of an ldap group then send to an error page instead of the service provider.

 

Thanks.


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]