From de8fc60d08e41f3474a323e92bc1a36546ffbee5 Mon Sep 17 00:00:00 2001
From: Jos Groot Lipman <jos.grootlipman@aareon.nl>
Date: Wed, 15 Aug 2018 16:00:17 +0000
Subject: [PATCH] UWVA#53857 SSO (via SAML) kunnen beperken tot een
 autorisatiegroep

svn path=/Website/branches/v2018.1/; revision=38827
---
 APPL/API2/model_aut_idp.inc | 3 +--
 APPL/AUT/Login.inc          | 8 ++++++++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/APPL/API2/model_aut_idp.inc b/APPL/API2/model_aut_idp.inc
index f2e7323221..2f331d438d 100644
--- a/APPL/API2/model_aut_idp.inc
+++ b/APPL/API2/model_aut_idp.inc
@@ -146,13 +146,12 @@ function model_aut_idp(params)
              "foreign": "prs_afdeling",
              "label": L("lcl_idp_department")
         },
-/*        "authorization": {
+        "authorization": {
             "dbs": "fac_functie_key",
             "label": L("aut_idp_functie_key"),
             "typ": "key",
             "foreign": "fac_functie"
         },
-*/
         "loglevel": {
             "dbs": "aut_idp_loglevel",
             "label": L("aut_idp_loglevel"),
diff --git a/APPL/AUT/Login.inc b/APPL/AUT/Login.inc
index 21bfee967c..4ffb69e7aa 100644
--- a/APPL/AUT/Login.inc
+++ b/APPL/AUT/Login.inc
@@ -1163,7 +1163,15 @@ function process_claim(claim, idp_data, params)
             shared.auditfail(L("lcl_autfai_loginnotfound").format(idpm.name.name,  idpm.from, claim[idpm.from]));
         }
         else
+        {
+            if (idp_data.authorization.id > 0 && !user.has(idp_data.authorization.id))
+            {
+                doLogoff();
+                shared.simpel_page(L("lcl_no_auth"))
+            }
+
             break; // ingelogd, niet verder zoeken
+        }
     }
     if (!hasIdentify)
         shared.internal_error("IdP {0} has no identifying attribute defined.".format(idp_data.code));