...
For simple illustrative purposes, consider a rule that the flow is authorized only to users possessing a particular entitlement value, and then are allowed to impersonate any users named by a second custom attribute to services named by a third.
The "specific" policy could be implented by a script, but the example demonstrates a new class added to V3.4 that checks the values of a resolved IdPAttribute against a dynamically computed candidate value (or values) produced by functions, which can themselves be scripts or expressions.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy">
<util:map id="shibboleth.AccessControlPolicies">
<!-- Limits who can impersonate based on entitlement. -->
<entry key="GeneralImpersonationPolicy">
<bean parent="shibboleth.PredicateAccessControl">
<constructor-arg>
<bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate">
<property name="attributeValueMap">
<map>
<entry key="eduPersonEntitlement">
<list>
<value>https://example.org/entitlement/impersonation</value>
</list>
</entry>
</map>
</property>
</bean>
</constructor-arg>
</bean>
</entry>
<!-- Controls the impersonation scenarios to allow. -->
<entry key="SpecificImpersonationPolicy">
<bean parent="shibboleth.PredicateAccessControl">
<constructor-arg>
TBD
<bean parent="shibboleth.Conditions.AND">
<constructor-arg>
<bean class="net.shibboleth.idp.profile.logic.DynamicAttributePredicate">
<property name="attributeFunctionMap">
<map>
<entry key="impersonatableUsernames">
<list>
<bean parent="shibboleth.ContextFunctions.Expression"
c:expression="#input.getSubcontext(T(org.opensaml.profile.context.AccessControlContext)).getResource()" />
</list>
</entry>
</map>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="net.shibboleth.idp.profile.logic.DynamicAttributePredicate">
<property name="attributeFunctionMap">
<map>
<entry key="impersonatableServices">
<list>
<bean parent="shibboleth.RelyingPartyIdLookup.Simple" />
</list>
</entry>
</map>
</property>
</bean>
</constructor-arg>
</bean>
</constructor-arg>
</bean>
</entry>
</util:map>
</beans> |
Notes
...