Skip to topic | Skip to bottom
Home
Federation
Hello TWikiGuest

Create personal sidebar
Federation.RestrictAAPr1.2 - 25 Aug 2007 - 18:32 - BrucLiongtopic end
Start of topic | Skip to actions

How to restrict access to your application

Suppose you want your application to be restricted to a specific IdP only, or you'd want to accept specific attribute values and deny others. Check AAP for general discussion on its configuration.

  1. accept the attribute and any values, however, for weird-idp and enemy-idp specifically, deny the acceptance of the attribute. 
    <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" 
  Scoped="true" CaseSensitive="false" Header="Shib-EP-Affiliation" Alias="affiliation">

   <!-- Accept the attribute generally... -->
   <AnySite>
      <AnyValue/>
   </AnySite>

   <!-- ... but reject enemy-idp -->
   <SiteRule Name="urn:mace:federation.org.au:testfed:enemy-idp.org.au">
      <Value Type="regexp" Accept="false">.*</Value>
   </SiteRule>

   <!-- ... but reject weird-idp scopes, hence rejecting everything from weird-idp -->
   <SiteRule Name="urn:mace:federation.org.au:testfed:weird-idp.org.au">
      <Scope Accept="false">weird-idp.org.au</Scope>
   </SiteRule>
</AttributeRule>
  2. accept any values for the attribute but reject all values coming from weird-idp 
    <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonAffiliation" CaseSensitive="false"
  Header="Shib-EP-UnscopedAffiliation" Alias="unscoped-affiliation">

   <!-- Accept the attribute generally... -->
   <AnySite>
       <AnyValue/>
   </AnySite>

   <!-- ... but reject all attribute values from weird-idp >
   <SiteRule Name="urn:mace:federation.org.au:testfed:weird-idp.org.au">
       <Value Type="regexp" Accept="false">.*</Value>
   </SiteRule>
</AttributeRule>
  3. accept only specific value ( staff and none other) for this attribute when it comes from ok-idp 
    <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonAffiliation" CaseSensitive="false"
  Header="Shib-EP-UnscopedAffiliation" Alias="unscoped-affiliation">

   <!-- Accept the attribute generally... -->
   <AnySite>
       <AnyValue/>
   </AnySite>

   <!-- ... but reject all attribute values from ok-idp except "staff">
   <SiteRule Name="urn:mace:federation.org.au:testfed:ok-idp.org.au">
       <Value Accept="true">staff</Value>
   </SiteRule>
</AttributeRule>
  4. only accept a small list of IdPs 
    <AttributeRule Name="urn:mace:dir:attribute-def:eduPersonAffiliation" CaseSensitive="false"
  Header="Shib-EP-UnscopedAffiliation" Alias="unscoped-affiliation">

   <SiteRule Name="urn:mace:federation.org.au:testfed:ok-idp.org.au">
       <AnyValue/>
   </SiteRule>
   <SiteRule Name="urn:mace:federation.org.au:testfed:friend-idp.org.au">
       <AnyValue/>
   </SiteRule>
   <SiteRule Name="urn:mace:federation.org.au:testfed:high-class-idp.org.au">
       <AnyValue/>
   </SiteRule>
</AttributeRule>


to top
End of topic
Skip to action links | Back to top

Edit | Attach image or document | Printable version | Raw text | More topic actions
Revisions: | r1.2 | > | r1.1 | Total page history | Backlinks
You are here: Federation > RestrictAAP

to top

Copyright © 1999-2008 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback