UWVA#53857 SSO (via SAML) kunnen beperken tot een autorisatiegroep

svn path=/Website/branches/v2018.1/; revision=38827

APPL/API2/model_aut_idp.inc

@@ -146,13 +146,12 @@ function model_aut_idp(params)
              "foreign": "prs_afdeling",
              "label": L("lcl_idp_department")
         },
-/*        "authorization": {
+        "authorization": {
             "dbs": "fac_functie_key",
             "label": L("aut_idp_functie_key"),
             "typ": "key",
             "foreign": "fac_functie"
         },
-*/
         "loglevel": {
             "dbs": "aut_idp_loglevel",
             "label": L("aut_idp_loglevel"),

APPL/AUT/Login.inc

@@ -1163,7 +1163,15 @@ function process_claim(claim, idp_data, params)
             shared.auditfail(L("lcl_autfai_loginnotfound").format(idpm.name.name,  idpm.from, claim[idpm.from]));
         }
         else
+        {
+            if (idp_data.authorization.id > 0 && !user.has(idp_data.authorization.id))
+            {
+                doLogoff();
+                shared.simpel_page(L("lcl_no_auth"))
+            }
+
             break; // ingelogd, niet verder zoeken
+        }
     }
     if (!hasIdentify)
         shared.internal_error("IdP {0} has no identifying attribute defined.".format(idp_data.code));