saml custom attribitues and passing them to the job filter
- I have a set up a IdP with a custom attribute for managing user access to certain nodes. I can see that the attribute is passed from the IdP but I have no idea on how to associate it with a session for the job submissionfilter to evaluate it. Ideally, I would like to implement this for an excel client authenticating via SAML.
Respuestas
Custom Properties should appear in the XML that is passed to the submission filter (you can modify/add them in the filter as well), though I'm not sure I fully understand what you're doing.
-Josh- Marcado como respuestaDon PatteeMSFT, Moderadormiércoles, 24 de junio de 2009 22:05
- Propuesto como respuestaJosh BarnardMSFT, Propietariosábado, 02 de mayo de 2009 0:17
Todas las respuestas
Custom Properties should appear in the XML that is passed to the submission filter (you can modify/add them in the filter as well), though I'm not sure I fully understand what you're doing.
-Josh- Marcado como respuestaDon PatteeMSFT, Moderadormiércoles, 24 de junio de 2009 22:05
- Propuesto como respuestaJosh BarnardMSFT, Propietariosábado, 02 de mayo de 2009 0:17
- The problem I am trying to solve is that licensing is not consistent across campus. What I am doing is using AD group membership to determine what software the user is entitled to run. Based on those groups I populate a custom attribute in the IdP. What I am trying to do is limit the access to certain machines via the submission filter. Because different departments use different security models I am authenticating with Shibboleth instead of AD.
Let me try modifying the filter and I will post the results.
~ Sid - I guess that a single node does not really constitute a success but... creating node groups and aligning the node groups to applications seems to do it for a simple case. Using the Licenses Job Property may also work. What it looks like I need to do is write a filter that will first check for licenses and then compare that to the node groups to see which nodes are available. So, say for example that I have a user with a campus agreement but not matlab. I would need to restrict the user to only those machines that have Microsoft Office on them and not matlab. If the user is submitting a job via Web Submission, application level control is near impossible as the call to an application can be embedded. I think it will be far easier to just limit the user's access to nodes where they are licensed for all installed applications. There will also need to be a filter for applications like ArcGIS where we have a limited number of license and the first prioity is for class use. To keep the security folks happy I am going to pass the ID of the saml artifact response to the filter logs.
~ Sid
Below is my licensing attribute definition from the IdP
Attribute Definition (attribute-resolver.xml):
<resolver:AttributeDefinition xsi:type="Mapped" xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="licensedSoftware" sourceAttributeID="ritEduMemberOfUid">
<resolver:Dependency ref="myLDAP" />
<resolver:Dependency ref="ritEduMemberOfUid" />
<resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="licensedSoftware" />
<resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
name="licensedSoftware" friendlyName="licensedSoftware" />
<ValueMap>
<ReturnValue>Microsoft</ReturnValue>
<SourceValue>staff</SourceValue>
<SourceValue>faculty</SourceValue>
</ValueMap>
<ValueMap>
<ReturnValue>Matlab</ReturnValue>
<SourceValue>students</SourceValue>
<SourceValue>faculty</SourceValue>
</ValueMap>
<ValueMap>
<ReturnValue>Visual Studio</ReturnValue>
<SourceValue>systems_team</SourceValue>
</ValueMap>
</resolver:AttributeDefinition>
Release Attribute to SP (attribute-filter.xml)
