Protecting Resources

There are 2 ways of doing this. 1st is by making sure that the list of attributes read by application (supplied by AAP) are sufficient, and let the application performs manual checking whether user has supplied correct attributes. The second approach is by optimizing AAP's alias directive, which is illustrated in AAP discussion here

You can also use XML authorization in shibboleth.xml as follow. This still assumes that you've protected the secure folder or location in either apache or IIS.

1. protect secure location

   <Location /secure>
       AuthType shibboleth
       require shibboleth
   </Location>
   

2. edit shibboleth.xml to specifically put access control restriction for this secure location

   <Host name="sp.example.org">
     <Path name="secure" authType="shibboleth" requireSession="true">
        <AccessControlProvider uri="/var/www/secure/.shib.xml"
         type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl"
        />
     </Path>
   </Host>
   

3. create .shib.xml file on /var/www/secure

   <?xml version="1.0" encoding="UTF-8"?>
   <AccessControl xmlns="urn:mace:shibboleth:target:config:1.0">
       <AND>
           <Rule require="affiliation">student</Rule>
           <OR>
               <Rule require="user">joe</Rule>
               <Rule require="user">james</Rule>
           </OR>
           <NOT>
               <Rule require="course-id">comp123</Rule>
           </NOT>
       </AND>
   </AccessControl>
   

4. the above specifies that affiliation has to be students with name (identification) either joe or james and he is not taking comp123.