We don't want traffic going to apps that is not authenticated and authorized.
- We can restrict SaaS traffic from IdP based on Grouper group
- We restrict traffic from an Apache reverse proxy to not send traffic that is not authenticated and authorized.
- Can help with deprovisioning
Example is Peoplesoft alumni and giving application
It used to run with weblogic accepting connections. Now we have an apache reverse proxy.
But who is allowed? They get provisioned inside the application. Get a feed.
Restrict traffic from the apache SP with this apache config:
Require shib-attr entitlement urn:mace:upenn.edu:penn:isc:ait:apps:peoplesoft:service:policy:psProdServer