Hello,

we do this using a scripted attribute. If the specific combination is
not permitted we return an invalid value. It's not perfect because the
user doesn't get informed why it doesn't work, but educating the user
in advance that it won't work was enough for us to make it acceptable.

The attribute resolver looks like this

<resolver:AttributeDefinition xsi:type="Script" id="email"
xmlns="urn:mace:shibboleth:2.0:resolver:ad" sourceAttributeID="mail">
<resolver:Dependency ref="theLDAP" />
<resolver:AttributeEncoder xsi:type="SAML2StringNameID"
xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
name="email" />
<ScriptFile>/opt/shibboleth-idp/conf/email.js</ScriptFile>
</resolver:AttributeDefinition>




And in the script you could put something like this:

importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
importPackage(Packages.org.slf4j);

logger = LoggerFactory.getLogger("edu.internet2.middleware.shibboleth.resolver.Script.scriptTest");

logger.info("This is a request for " +
requestContext.getRelyingPartyConfiguration().getRelyingPartyId());

var emailAdress ;


var ipAddress = requestContext.getInboundMessageTransport().getPeerAddress() ;
if ( ( ipAddress.match("10\\..*") &&
requestContext.getRelyingPartyConfiguration().getRelyingPartyId() ==
"somerelyingparty" ) ||
requestContext.getRelyingPartyConfiguration().getRelyingPartyId() !=
"somerelyingparty" ) {
emailAdress = mail.getValues().get(0);
} else {
emailAdress = "***@nowhere";
}

email = new BasicAttribute("email");
email.getValues().add(emailAdress);


logger.info("Provided email address " +email.getValues().get(0));

ps.: Edited in gmail, so there may be small typo's or syntax errors,
but the idea is there.

Kind Regards,

JAN KEIRSE
--
**** DISCLAIMER ****

http://www.tvh.com/newen2/emaildisclaimer/default.html

"This message is delivered to all addressees subject to the conditions
set forth in the attached disclaimer, which is an integral part of this
message."
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

Hi Stefano,
I see two options here:

1) Similar to Jan Keirse's idea: Does the SP request a special attribute
which is needed to grant access? (e.g.
eduPersonEntitlement=urn:mace:dir:entitlement:common-lib-terms)
Then you could check the user's IP address and leave that attribute
blank if the user is not entitled to use the SP.

Please note that there may be a problem with Jan's code line
var ipAddress =
requestContext.getInboundMessageTransport().getPeerAddress() ;
... because if the SP requests the attributes via back-channel (SOAP),
then getPeerAddress() will return the SP's IP address (not the user's IP
address), see
https://bugs.internet2.edu/jira/si/jira.issueviews:issue-html/SIDP-269/SIDP-269.html

Alternatively, you may use our custom login handler (which stores the
user's IP address in the user's publicCredentials for later use in
attribute resolution):
http://www.staff.uni-marburg.de/~haimm/unimr-login.shib2.2011_11_21.zip
but please take care of this Security Advisory:
http://shibboleth.internet2.edu/secadv/secadv_20110718.txt).

2) If the above is no option, you must write an IdP plugin which blocks
the IdP's attribute forwarding based on the user's IP address (or other
attribute values). We use a customized copy of the uApprove filter
(ch.SWITCH.aai.uApprove.Intercepter) to accomplish this, i.e. users
lacking the
eduPersonEntitlement=urn:mace:dir:entitlement:common-lib-terms attribute
value are blocked and shown a no-access page.
I have just uploaded the jar file and the sources here if you want to
have a look:
http://www.staff.uni-marburg.de/~haimm/unimr-spaccessfilter.shib2.uapprove240.2013_08_22.zip


-Manuel


--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

This could be a show stopper. Since the IDP is doing SSO, the user may have authenticated
by going to a different SP earlier. The IDP will use the previous cookie from the browser
for the assertion and then gets attributes for the second SP. As Jan Keirse pointed out
the IDP can choose to send some don't-allow-this-user attribute or no attributes.
But the IDP still sends an assertion. So it depends on what the SP will do with the
assertion without the normal attributes it expects.

This thread,
http://shibboleth.1660669.n2.nabble.com/Restricting-Authentication-to-a-subset-of-Users-td6375260.html

is similar in that we wanted to restrict some user accounts from using Shibboleth
and have the same problem of what to do with sending an assertion indicating
don't-allow-this-user or an assertion with no attributes to an SP. There does not
appear to be any way from the attribute-resolver or attribute-filter to send a
not successful assertion to the SP, or a way to send a page to the user's browser
saying not allowed.

We have been using the advise of sending an assertion with no attributes.