Uploaded image for project: 'OpenOLAT'
  1. OpenOLAT
  2. OO-1588

Restrict Shibboleth Login to user name or attribute whitelist

    XMLWordPrintable

    Details

    • Funded by:

      Description

      Using Shibboleth it is simple to restrict a resource to a certain identity provider. However, within the identity provider it is not possible to further separate users.

      This can be solved using a resource side white-list. In our case the resource is OpenOLAT which must implement the white list feature and allow access only to users that are on this whitelist.

      The whitelist checks against a user property handed over by the shibboleth identity provider. The system should support multiple white lists, e.g. one to list explicit allowed user names or email addresses and another one to list allowed user attributes (e.g. the name of the class which the user is in). At this point, two lists must be supported.

      When both lists are populated, the check does perform an OR check. Only one of the attributes must match against the allowed values.

      Disallowed users should get an error message that tells them that they are not allowed to access the system.

      The default implementation grants access to all users who successfully authenticated via Shibboleth.

      The lists are configured in a new admin panel as text area fields.

      See also https://jira.frentix.com/browse/CL-412 (frentix intern)

        Attachments

          Activity

            People

            Assignee:
            srosse Stéphane Rossé
            Reporter:
            gnaegi Florian Gnägi
            Tester:
            Dirk Furrer
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 1 day
                1d
                Remaining:
                Time Spent - 5 hours, 30 minutes Remaining Estimate - 3 hours
                3h
                Logged:
                Time Spent - 5 hours, 30 minutes Remaining Estimate - 3 hours
                5h 30m