In our environment, we are authenticating our users via Shibboleth against ADLDS. Authentication works well, however we are having an authorization issue. Right now, any user with login credentials in the domain (i.e., every student, staff, and faculty member as well as a number of contractors and former students) is able to access Open OnDemand. Most can’t do anything more than that - unless they have been granted HPC user accounts, they can’t queue up jobs. In a few cases, though, we have found that users who once were authorized for HPC cluster access are still able to upload files, as we don’t typically archive and purge users’ home directories unless we know that their relationship with the university is terminated permanently or unless they specifically ask that we do so. This is a problem for us. We would like to be able to restrict access to Open OnDemand to only those who possess active login shells and home directories on our cluster. Is there a good way to do this?