...
| Code Block |
|---|
<SessionInitiator type="Chaining" Location="/Login" id="MIT"
relayState="cookie" entityID="https://idp-mit-edu.ezproxy.canberra.edu.au/shibboleth">
<SessionInitiator type="SAML2" acsIndex="1" template="bindingTemplate.html"/>
<SessionInitiator type="Shib1" acsIndex="5"/>
</SessionInitiator>
|
Group rules allow you to automatically map Touchstone-authenticated users to specific Drupal roles, based on values in SAML attributes. One common attribute we use here is "affiliation". Here is an example of configuring the Group Rules when using Drupal 6. Click on the image to enlarge it.
In this example, we have used the three possible values you can get out of the MIT Touchstone attribute, "affiliation" (staff, student, and affiliate) to automatically map new accounts to three new roles we created in Drupal - Staff User, Student User, and Affiliate. By default, Drupal 6 has only two roles: Anonymous user and Authenticated user. Without further configuration, any Drupal account automatically inherits the "Authenticated User" role in Drupal, but you might want to create more roles in order to provide more granular control over permissions. For example, we might want to configure our Drupal site to allow students to see certain kinds of content, but give staff a different default view.
Note that the affiliate attribute is not the only one you can use in the shib_auth module; you could also map a user to a particular role based on the form of the username or email address, giving one role to people who authenticate via the MIT IdP (who will have an email address ending in @mit.edu) and a different role to everyone else (e.g., collaboration account users).