Using Shibboleth it is simple to restrict a resource to a certain identity provider. However, within the identity provider it is not possible to further separate users.
This can be solved using a resource side white-list. In our case the resource is OpenOLAT which must implement the white list feature and allow access only to users that are on this whitelist.
The whitelist checks against a user property handed over by the shibboleth identity provider. The system should support multiple white lists, e.g. one to list explicit allowed user names or email addresses and another one to list allowed user attributes (e.g. the name of the class which the user is in). At this point, two lists must be supported.
When both lists are populated, the check does perform an OR check. Only one of the attributes must match against the allowed values.
Disallowed users should get an error message that tells them that they are not allowed to access the system.
The default implementation grants access to all users who successfully authenticated via Shibboleth.
The lists are configured in a new admin panel as text area fields.
See also https://jira.frentix.com/browse/CL-412 (frentix intern)