Thanks again Misagh. I'll have a look through those principal resolvers. The multiple record DB one sounds most likely to fit my use case.
As long as I can pass the serviceId into the PrincipalResolver, I can restrict the DB query easily. The serviceId contains the application URL (which contains the application name) and roles are joined against application name in the DB. So the question is, how do I get the serviceId to the resolver? On Friday, September 2, 2016 at 10:18:47 PM UTC+12, Misagh Moayyed wrote: > > There are options for principal resolution that allow you retrieve > attributes for a principal that is mapped to a single DB record, or > multiple DB records. Look into those, and if insufficient, write/script > your own. > > > If you don’t know what attributes you’d be getting back from the resolver, > then there is no way you can make a decision on what each app would > receive. You’ve gotta know before you can design that rule. So either you > end up releasing everything to the app, (which is probably a bad idea) or > you think of some other fancy option like releasing things based on a > predefined attribute name pattern…or you learn which attributes each app > wants and you get those released out of the principal which is probably > something you should do. > > -- > Misagh > > -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2256b90c-5e08-48ff-b70a-ea39ce54459f%40apereo.org. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
