Authorization base on group membership

1. Federation

  • Create the federation scenario.
    In this example “Username and Password” scenario is used.
  • When the scenario is create click on “EXECUTION FLOW” and make the following changes

2. AuthnRequestDecoder

  • Add the valve “AuthnRequestDecoder” and place it directly after the “InputParameterExistValidatorValve” valve in the flow.

3. PropertyAddValve

  • Add the valve “PropertyAddValve” and place it directly after the “AuthnRequestDecoder” valve in the flow. 
  • Add the following configurations.

3.1. General tab

  • Name : Application
  • Value : CN=App1,OU=Applications,OU=Groups,DC=phenixid,DC=local
    Replace the example with your group DN
  • Splitter : ¤ ( Can be replace with other characters.)
    ( In 2.5.x and earlier versions see the instructions in the section "* Note Add Splitter in 2.5.x and earlier version")

3.2. Advanced tab

  • Exec_If : flow.getPropertyValue('issuer').equals('https://sp.testshib.org/shibboleth-sp')
    Replace https://sp.testshib.org/shibboleth-sp with your SP address.

4. LDAPSearchValve

  • Modify the “LDAPSearchValve” valve with the following configuration

4.1. General tab

  • Search Filter : (&(samAccountName={{request.username}})(memberOf={{item.Application}}))

5. FlowFailValve

  • Add the valve “FlowFailValve” and place it directly after the “LDAPSearchValve” valve in the flow. 
  • Add the following configurations.

5.1. General tab

  • Message : Failed by FlowFailValve  (or the message of your choice)

5.2. Advanced tab

  • Skip_If : flow.isMulti()

6. ItemRemoveValve

  • Add the valve “ItemRemoveValve” and place it directly after the “FlowFailValve” valve in the flow. 
  • Add the following configurations.

6.1. General tab

  • Item Include Expression : item.containsProperty('issuer')

7. “EXECUTION FLOW” order

The “EXECUTION FLOW” order should look similar as the image below

8. * Note Add Splitter in 2.5.x and earlier version

  • Get the Pipe ID from the “EXECUTION FLOW”
    In the example above the Pipe ID is f7e74ccc-60a3-4381-9810-0892c316e3eb
  •  Click on the advanced tab
  • Click on the pen beside "Pipe valves" and search for  Pipe ID until you finds the "PropertyAddValve" associated with that  Pipe ID
  • In the config section of the "PropertyAddValve" valve add "splitter": "¤"
    You can replace ¤  with other characters.

8.1. Example config

<p>{
     "id": "9fad287d-09bc-4931-a4ec-d24031656fb2",
     "name": "PropertyAddValve",
     "enabled": "true",
     "config": {
         "proceed_on_error": "false",
         "name": "Application",
         "value": "CN=App1,OU=Applications,OU=Groups,DC=phenixid,DC=local",
         "splitter": "¤"
     },
     "pipe_ref": " f7e74ccc-60a3-4381-9810-0892c316e3eb",
     "created": "2018-06-11T10:20:15.626Z"
 },</p>