Centralized login authorization using Shibboleth IdP and Grouper

Primary speaker:

Jonathan Zhao, Senior Authentication Systems Specialist, Information Security

Additional speaker:

Xin Xiang, Senior IAM specialist, ITS

Description: 

Many applications integrated with institutional Single Sign-On (SSO) lack native authorization capabilities, leaving access control fragmented or enforced locally within each system. This presentation introduces a centralized authorization pattern for higher education environments using Shibboleth Identity Provider (IdP) and Grouper, inspired by the simplicity and effectiveness of TCP Wrappers.

The design implements a unified authorization mechanism enforced by the IdP, on behalf of Service Providers (SPs), without requiring modifications to the SPs themselves. Similar to the hosts.allow and hosts.deny model, two centrally managed Grouper groups — users.allow and users.deny — control access to SSO-protected services.

The access control logic is intentionally simplified to improve usability:

  • Mutually exclusive configuration: Each SP may use either users.allow or users.deny, but not both.
  • Practical defaults: For SPs using users.allow, only users explicitly included in the group are permitted. For SPs using users.deny, only users explicitly included in the group are denied.

The solution leverages two key features of Shibboleth IdP:

  • Context Check Interception: A Shibboleth IdP extension point is used to evaluate login context during authentication, enabling centralized authorization decisions at login.
  • Custom Metadata Entity Attributes: To allow each SP to reference its own authorization groups in Grouper, two custom metadata tags are defined:
    • https://saml.utoronto.ca/entity-attribute/usersAllowGroup
    • https://saml.utoronto.ca/entity-attribute/usersDenyGroup

Although the model relies on only two logical groups, Grouper’s composite and automation features enable advanced access management scenarios, including:

  • Shared allowlists or denylists across multiple applications
  • Department-level access control patterns
  • Automated membership synchronization from external systems via APIs

This approach scales from simple use cases to complex enterprise authorization while maintaining centralized governance.

The presentation includes a live demonstration of a SP using this design to enforce access control, illustrating how centralized login authorization can be achieved with minimal operational overhead. The session concludes with Q&A.

Information Technology Services, University of Toronto
Go to Top