locked
saml custom attribitues and passing them to the job filter RRS feed

  • Question

  • I have a set up a IdP with a custom attribute for managing user access to certain nodes.  I can see that the attribute is passed from the IdP but I have no idea on how to associate it with a session for the job submissionfilter to evaluate it. Ideally, I would like to implement this for an excel client authenticating via SAML.
    Friday, May 1, 2009 4:15 AM

Answers

  • Custom Properties should appear in the XML that is passed to the submission filter (you can modify/add them in the filter as well), though I'm not sure I fully understand what you're doing.


    -Josh
    Saturday, May 2, 2009 12:17 AM
    Moderator

All replies

  • Custom Properties should appear in the XML that is passed to the submission filter (you can modify/add them in the filter as well), though I'm not sure I fully understand what you're doing.


    -Josh
    Saturday, May 2, 2009 12:17 AM
    Moderator
  • The problem I am trying to solve is that licensing is not consistent across campus. What I am doing is using AD group membership to determine what software the user is entitled to run.  Based on those groups I populate a custom attribute in the IdP.  What I am trying to do is limit the access to certain machines via the submission filter. Because different departments use different security models I am authenticating with Shibboleth instead of AD.

    Let me try modifying the filter and I will post the results.
    ~ Sid
    Wednesday, May 6, 2009 4:10 PM
  • I guess that a single node does not really constitute a success but... creating node groups and aligning the node groups to applications seems to do it for a simple case. Using the Licenses Job Property may also work. What it looks like I need to do is write a filter that will first check for licenses and then compare that to the node groups to see which nodes are available.  So, say for example that I have a user with a campus agreement but not matlab. I would need to restrict the user to only those machines that have Microsoft Office on them and not matlab. If the user is submitting a job via Web Submission, application level control is near impossible as the call to an application can be embedded. I think it will be far easier to just limit the user's access to nodes where they are licensed for all installed applications. There will also need to be a filter for applications like ArcGIS where we have a limited number of license and the first prioity is for class use. To keep the security folks happy I am going to pass the ID of the saml artifact response to the filter logs.
    ~ Sid

    Below is my licensing attribute definition from the IdP

    Attribute Definition (attribute-resolver.xml):

     

            <resolver:AttributeDefinition xsi:type="Mapped" xmlns="urn:mace:shibboleth:2.0:resolver:ad" id="licensedSoftware" sourceAttributeID="ritEduMemberOfUid">

                    <resolver:Dependency ref="myLDAP" />

                    <resolver:Dependency ref="ritEduMemberOfUid" />

            <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"

                name="licensedSoftware" />

            <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"

                name="licensedSoftware" friendlyName="licensedSoftware" />

                            <ValueMap>

                                    <ReturnValue>Microsoft</ReturnValue>

                                    <SourceValue>staff</SourceValue>

                                    <SourceValue>faculty</SourceValue>

                            </ValueMap>

     

                            <ValueMap>

                                    <ReturnValue>Matlab</ReturnValue>

                                    <SourceValue>students</SourceValue>

                                    <SourceValue>faculty</SourceValue>

                            </ValueMap>

     

                            <ValueMap>

                                    <ReturnValue>Visual Studio</ReturnValue>

                                    <SourceValue>systems_team</SourceValue>

                            </ValueMap>

     

            </resolver:AttributeDefinition>

     

    Release Attribute to SP (attribute-filter.xml)


    Wednesday, May 6, 2009 9:29 PM