The Shibboleth V1 software has reached its End of Life and is no longer supported. This documentation is available for historical purposes only.

DenyIdP

Owned by Scott Cantor
Last updated: Jan 02, 2007 by Former user (Deleted)Version comment
2 min read

Restrict Access to a Resource by IdP

Deployments may wish to recognize and utilize federations while restricting access to some applications to a subset of that federation membership. If a provider doesn't want to recognize an IdP within a federation at all, it can be simply removed from the metadata entirely. This is done by editing the federation's metadata file and removing the EntityDescriptor element with a name matching the providerId of the IdP you don't want to recognize.

In other situations, you may wish to only deny access for certain applications within an SP. This implies that each application with this special requirement must have its own AAP.xml file which restricts acceptance of attributes from the IdP you want to prevent access from. Once a separate AAP has been created for an application, it needs to be modified so that the attributes used for access control will be rejected from the desired providers. The most appropriate way to do this depends on whether the attribute is scoped. If it is, it's best to write AAP's that deny particular scopes:

<AttributeRule Name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" 
  Scoped="true" CaseSensitive="false" Header="Shib-EP-Affiliation" Alias="affiliation">

	<!-- Accept the attribute generally... -->
	<AnySite>
		<AnyValue/>
	</AnySite>

	<!-- ... but reject supervillain.edu scopes -->
	<SiteRule Name="https://identity.supervillain.edu/shibboleth/idp">
		<Scope Accept="false">supervillain.edu</Scope>
	</SiteRule>
</AttributeRule>

For attributes that aren't scoped, it's necessary to deny acceptance on a per-provider basis:

<AttributeRule Name="urn:mace:dir:attribute-def:eduPersonAffiliation" CaseSensitive="false"
  Header="Shib-EP-UnscopedAffiliation" Alias="unscoped-affiliation">

	<!-- Accept the attribute generally... -->
	<AnySite>
		 <AnyValue/>
	</AnySite>

	<!-- ... but reject all attribute values from supervillain.edu >
	<SiteRule Name="https://identity.supervillain.edu/shibboleth/idp">
		<Value Type="regexp" Accept="false">.*</Value>
	</SiteRule>
</AttributeRule>

%COMMENT%

  • The suggestion of manually editing a federation's metadata to remove a particular entity doesn't sit very well with recommendations elsewhere for people to refresh their metadata frequently. If you're manually changing federation metadata for your local use, you're not going to be doing that hourly or daily, and the result will be people not refreshing metadata at all. I do seem to recall that there was some kind of exclusion system built into the SP configuration for this kind of purpose; would it be better to describe that instead of a manual process? -- Main.IanYoung - 30 Nov 2006 11:50:29
  • An alternative solution we could mention if we want to be exhaustive is snipping out entities using XSLT. I can run up an example of this if you want one. -- Main.IanYoung - 30 Nov 2006 11:54:42