saml custom attribitues and passing them to the job filter

Fri, 01 May 2009 04:15:45 Z

I have a set up a IdP with a custom attribute for managing user access to certain nodes. I can see that the attribute is passed from the IdP but I have no idea on how to associate it with a session for the job submissionfilter to evaluate it. Ideally, I would like to implement this for an excel client authenticating via SAML.

saml custom attribitues and passing them to the job filter

Sat, 02 May 2009 00:17:51 Z

Custom Properties should appear in the XML that is passed to the submission filter (you can modify/add them in the filter as well), though I'm not sure I fully understand what you're doing.

-Josh

saml custom attribitues and passing them to the job filter

Wed, 06 May 2009 16:10:38 Z

The problem I am trying to solve is that licensing is not consistent across campus. What I am doing is using AD group membership to determine what software the user is entitled to run. Based on those groups I populate a custom attribute in the IdP. What I am trying to do is limit the access to certain machines via the submission filter. Because different departments use different security models I am authenticating with Shibboleth instead of AD.

Let me try modifying the filter and I will post the results.
~ Sid

saml custom attribitues and passing them to the job filter

Wed, 06 May 2009 21:29:36 Z

I guess that a single node does not really constitute a success but... creating node groups and aligning the node groups to applications seems to do it for a simple case. Using the Licenses Job Property may also work. What it looks like I need to do is write a filter that will first check for licenses and then compare that to the node groups to see which nodes are available. So, say for example that I have a user with a campus agreement but not matlab. I would need to restrict the user to only those machines that have Microsoft Office on them and not matlab. If the user is submitting a job via Web Submission, application level control is near impossible as the call to an application can be embedded. I think it will be far easier to just limit the user's access to nodes where they are licensed for all installed applications. There will also need to be a filter for applications like ArcGIS where we have a limited number of license and the first prioity is for class use. To keep the security folks happy I am going to pass the ID of the saml artifact response to the filter logs.
~ Sid

Below is my licensing attribute definition from the IdP

Attribute Definition (attribute-resolver.xml):

<resolver:AttributeDefinition xsi:type="Mapped" xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="licensedSoftware" sourceAttributeID="ritEduMemberOfUid">

<resolver:Dependency ref="myLDAP" />

<resolver:Dependency ref="ritEduMemberOfUid" />

<resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"

name="licensedSoftware" />

<resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"

name="licensedSoftware" friendlyName="licensedSoftware" />

<ReturnValue>Microsoft</ReturnValue>

<SourceValue>staff</SourceValue>

<SourceValue>faculty</SourceValue>

</ValueMap>

<ReturnValue>Matlab</ReturnValue>

<SourceValue>students</SourceValue>

<SourceValue>faculty</SourceValue>

</ValueMap>

<ReturnValue>Visual Studio</ReturnValue>

<SourceValue>systems_team</SourceValue>

</ValueMap>

</resolver:AttributeDefinition>

Release Attribute to SP (attribute-filter.xml)