...
For simple illustrative purposes, consider a rule that the flow is authorized only to users possessing a particular entitlement value, and then are allowed to impersonate any users named by a second custom attribute to services named by a third.
The "specific" policy could be implented by a script, but the example demonstrates a new class added to V3.4 that checks the values of a resolved IdPAttribute against a dynamically computed candidate value (or values) produced by functions, which can themselves be scripts or expressions.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p" xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd" default-init-method="initialize" default-destroy-method="destroy"> <util:map id="shibboleth.AccessControlPolicies"> <!-- Limits who can impersonate based on entitlement. --> <entry key="GeneralImpersonationPolicy"> <bean parent="shibboleth.PredicateAccessControl"> <constructor-arg> <bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate"> <property name="attributeValueMap"> <map> <entry key="eduPersonEntitlement"> <list> <value>https://example.org/entitlement/impersonation</value> </list> </entry> </map> </property> </bean> </constructor-arg> </bean> </entry> <!-- Controls the impersonation scenarios to allow. --> <entry key="SpecificImpersonationPolicy"> <bean parent="shibboleth.PredicateAccessControl"> <constructor-arg> TBD <bean parent="shibboleth.Conditions.AND"> <constructor-arg> <bean class="net.shibboleth.idp.profile.logic.DynamicAttributePredicate"> <property name="attributeFunctionMap"> <map> <entry key="impersonatableUsernames"> <list> <bean parent="shibboleth.ContextFunctions.Expression" c:expression="#input.getSubcontext(T(org.opensaml.profile.context.AccessControlContext)).getResource()" /> </list> </entry> </map> </property> </bean> </constructor-arg> <constructor-arg> <bean class="net.shibboleth.idp.profile.logic.DynamicAttributePredicate"> <property name="attributeFunctionMap"> <map> <entry key="impersonatableServices"> <list> <bean parent="shibboleth.RelyingPartyIdLookup.Simple" /> </list> </entry> </map> </property> </bean> </constructor-arg> </bean> </constructor-arg> </bean> </entry> </util:map> </beans> |
Notes
...