Shibboleth Developers

[Scott Cantor <>]

> Scott, it would be great if you could write a simple sample of how to
> use that new hook. We have a target site which might want to use a rule
> which requires AND as well as OR, which currently is not possible
> otherwise.

I don't think I can get you a sample any time very soon, I'm just too busy
with SAML 2 work and Shib documents and pilots at the moment. I am hoping to
get at least the programming interfaces documented shortly (but that's not a
working sample).

The API is documented in shibtarget.h as IAccessControl. It requires
providing a class that implements a single function:

bool authorized(
        const saml::SAMLAuthenticationStatement& authn,
        const saml::Iterator<saml::SAMLAssertion*>& attrs
) const=0

The target configuration schema defines an element inside <RequestMap>'s
<Host> and <Path> elements that can contain Access Control policy for
requests that map to that point in the tree (or above, if not overridden).
The plugin has to read in instances of the XML it defines for itself, one
object per <AccessControlProvider> element, and then the object has to
evaluate the policy against the inputs provided.

An example might be:

<RequestMap applicationId="default">
        <Host name="localhost" scheme="https">
                <Path name="secure" requireSession="true">
                        <AccessControlProvider
type="edu.osu.shibboleth.sample">
                        your XML here
                        </AccessControlProvider>
                </Path>
        </Host>
</RequestMap>

A bit verbose, I admit, but hey, we're supposed to have tools to generate
and maintain this stuff, right? ;-) Yeah, any day now...

The plugin exports a factory function that libshibtarget will give the DOM
element <AccessControlProvider>, and the object initializes its state with
the XML inside (which could be a pointer to a file that's not XML) and
figures out how to return yes/no when it's called.

The xmlproviders library is an example plugin library that registers
implementations of other interfaces (a lot of the actual Shibboleth code in
fact), just not this one. It's the best working example of how to do a
plugin for any of the APIs.

Note that the whole RequestMap piece is itself pluggable, so conceivably the
whole combination could be replaced with something that works better if
somebody comes up with one that is.

-- Scott