Christopher Bland
2014-10-04 00:33:03 UTC
Hello All,
I am in the process of changing the backend of an IDP to authenticate against AD. With the change I want to take advantage of group membership to restrict services. So far I am thinking I can create a special handler for each service which is available to a subset of my users. The LDAP query would be something like username, password and is a member of group X. Now comes the tricky part.
Once a user has authenticated at an entitled service and then goes to my restricted service is there any way to restrict them other than forcing an mandatory authentication for the restricted service? In the past I have not released attributes, which causes an error but this solution only works if the SP/Vendor allows custom error pages so I can let the use know it's restricted versus having an error they don't understand.
I also want to take advantage of forcing password changes and account locking. I was curious what kind of things the Shibboleth community has tried. I have read some good idea from previous posts but wonder if you can dynamically change the target in an auth request?
-Chris
I am in the process of changing the backend of an IDP to authenticate against AD. With the change I want to take advantage of group membership to restrict services. So far I am thinking I can create a special handler for each service which is available to a subset of my users. The LDAP query would be something like username, password and is a member of group X. Now comes the tricky part.
Once a user has authenticated at an entitled service and then goes to my restricted service is there any way to restrict them other than forcing an mandatory authentication for the restricted service? In the past I have not released attributes, which causes an error but this solution only works if the SP/Vendor allows custom error pages so I can let the use know it's restricted versus having an error they don't understand.
I also want to take advantage of forcing password changes and account locking. I was curious what kind of things the Shibboleth community has tried. I have read some good idea from previous posts but wonder if you can dynamically change the target in an auth request?
-Chris
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org