Skip to end of metadata
Go to start of metadata

Purpose

This page describes how to configure access control using the XML Access Control plug-in that ships with the Shibboleth Service Provider. 

Configuration

The XML Access Control plug-in can be used to control access using the attributes released from the IdP to your SP. Access control statements can be added to the <RequestMap> section of your shibboleth2.xml file within a <Host> block or a <Path> block. Boolean logic with AND, OR, and NOT is supported using combinations of single-valued or multi-valued attributes. The configuration can be used on IIS and Apache systems, but Apache administrators might prefer to use standard Apache access contol mechanisms.

  1. Request that the attributes you wish to use get released to your SP
  2. Map the attributes into your server environment
  3. Configure Shibboleth to protect the host or a specific path by requiring a session
  4. Configure XML access control statements in a <Host> block or a <Path> block. Some examples are provided below.


Example requiring membership in a group to access the web site.

<RequestMap>
    <Host name="diafine3.cac.washington.edu" authType="shibboleth" requireSession="true">
        <AccessControl>
            <Rule require="gws_groups">urn:mace:washington.edu:groups:u_myapp_admins</Rule>                     
        </AccessControl>
    </Host>
</RequestMap>

Example requiring an employee affiliation or membership in a group to access a directory, but excluding a particular user by eppn.

 

<RequestMap>
    <Host name="diafine3.cac.washington.edu">
        <Path name="secure" authType="shibboleth" requireSession="true">
            <AccessControl>
                <AND>
                    <OR>
                       <Rule require="affiliation">employee@washington.edu</Rule>

                       <Rule require="gws_groups">urn:mace:washington.edu:groups:u_myapp_non-employees</Rule>
                    </OR>
                    <NOT>
                       <Rule require="eppn">bad-apple@washington.edu</Rule>
 
                    </NOT>
                </AND>                    

            </AccessControl>
        </Path>
    </Host>
</RequestMap>

See Also

  • No labels