|
|
Using Shibboleth IdP 2 for Google SSO for email. Successfully authenticating users via the ShibUserPassAuth {edu.vt.middleware.ldap.jaas.LdapLoginModule} in login.config.
15:16:51.081 - INFO [edu.vt.middleware.ldap.Authenticator:297] - Authentication succeeded for user
After a successful Authn with username and password the user is currently redirected back to Google.
How can I authorize that the user is a member of the 'Email' group BEFORE redirecting back?
Can this be accomplished by stacking the JAAS modules like so?
ShibUserPassAuth {
// LdapLoginModule - JAAS module which provides authentication and authorization against a LDAP.
edu.vt.middleware.ldap.jaas.LdapLoginModule required
base="ou=users,dc=test,dc=com"
host="myldap.server"
port="389"
serviceCredential=""
serviceUser=""
userField="uid"
subtreeSearch="false";
//LdapRoleAuthorizationModule - JAAS module which provides authorization against a LDAP.
edu.vt.middleware.ldap.jaas.LdapRoleAuthorizationModule required
useFirstPass="true"
ldapUrl="ldap://myldap:389/cn=Email,ou=roles,dc=test,dc=com"
roleFilter="(member={0})"
roleAttribute="cn";
};
Thanks,
Jon
|
Locked
