Ability to block logins based on a SAML attribute

[richvdh]

For some SAML-backed deployments, it is useful to be able to allow or deny login based on the value of a SAML attribute.

For example, consider a system where SAML users are divided into "staff" and "customers". The organisation wishes only staff to have access to the Matrix server. The SAML server might return the following in the SAML assertion:

    <ns0:Attribute FriendlyName="userGroup" Name="https://example.com/userGroup" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <ns0:AttributeValue xsi:type="xsd:string">staff</ns0:AttributeValue>
    </ns0:Attribute>

The SAML handler should inspect the userGroup attribute and check that it matches staff. Obviously, the attribute name and value need to be configurable.

I suggest that we implement this in the core SamlHandler rather than the SamlMappingProvider. I'd suggest configuration options like:

attribute requirements:
  - name: userGroup
    value: staff

(which leaves the route open in future to specifying a type of match such as contains or (regex)matches).