How do I enable policy based SAML restriction?

Troubleshooting
, , ,
#1

Hi everyone,

I’m trying to restrict the SAML assertion based on authorization policy, looks like that approach is not working as expected.

Steps followed
Added a policy set
added the sp entity ID to the url list
added a subject condition that if the user is not part of the group

although the user is not part of the group the idp initiated call is still giving the saml response.

not sure if this is right approach can someone please suggest other options to get this or please point me if something can we changed to get this solution working.

Thanks,
Rick

1 Like
#2

AM does not evaluate policies during SAML2 flows. There is an RFE for this, but it hasn’t been scheduled for a release yet:
https://backstage.forgerock.com/support/issues/OPENAM-8299

If you access the issue through JIRA, you can also find an example plugin there that adds this feature in the interim:
https://bugster.forgerock.org/jira/browse/OPENAM-8299

1 Like