Versions Compared

Old Version 13

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version 14

changes.mady.by.user Rod Widdowson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

As a general matter, unless all of your attributes come from a persistent store you can re-query, this feature is not likely to work, or be safe to use.

Reference

true
Localtabgroupexpand
Localtab live
titleBeans (V4.0)

The following beans are defined in conf/intercept/impersonate-intercept-config.xml:

Bean ID

Type

Description

shibboleth.impersonate.GeneralPolicy

String

Named AccessControl policy to run to determine whether to run this flow 

shibboleth.impersonate.SpecificPolicy

String

Named AccessControl policy to run to determine whether to allow the requested impersonation

Localtab live
active
Expand
titleProperties (V4.1+)

The following properties in conf/idp.properties may be used to override the default policy names used:

Name

Default

Description

idp.impersonate.generalPolicy

GeneralImpersonationPolicy

Named AccessControl policy to run to determine whether to run this flow 

idp.impersonate.specificPolicy

SpecificImpersonationPolicy

Named AccessControl policy to run to determine whether to allow the requested impersonation

Example

Aside from the UI, all of the flow's configuration is actually just defining policies, either in conf/access-control.xml or an included file. In practice, a "real world" implementation of such policies would likely rely on some kind of directory or database of rules controlling which users can impersonate which users to which services, perhaps through group memberships resolved during initial attribute resolution.

...