Hi all, I've got a SAML service that has login requirements that must be performed on the CAS/IdP side. Basically, I want a list of users (matched by uid) to be allowed access to this specific service.
I read the docs at https://apereo.github.io/cas/5.1.x/installation/Configuring-Service-Access-Strategy.html and went ahead configuring a service. The service config is below: { @class: org.apereo.cas.support.saml.services.SamlRegisteredService name: Some Service id: 1005 serviceId: https://example.com/shibboleth-sp attributeReleasePolicy: { @class: org.apereo.cas.services.ReturnMappedAttributeReleasePolicy allowedAttributes: { @class: java.util.TreeMap uid: uid mail: special-mail-name } } accessStrategy : { @class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy enabled: true ssoEnabled: true requiredAttributes: { @class: java.util.HashMap uid: ["java.util.HashSet", ["^bob$", "^joe$", "^sue$"]] } } proxyPolicy: { @class: org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy } metadataLocation: /etc/cas/metadata/metadata.xml metadataCriteriaPattern: https://example.com/shibboleth-sp } To test, I go to https://my.cas.local/cas/login?service=https://example.com/shibboleth-sp login, and it works. I am denied when I should be and allowed when I should be. The problem is when I go to use the service properly. I go to the service, get redirected back to cas, and the access strategy is completely ignored. I see the below: DEBUG [org.apereo.cas.services. AbstractRegisteredServiceAttributeReleasePolicy] - <Final collection of attributes allowed are: [{uid=mareid, mail=something}]> DEBUG [org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy] - < Skipping access strategy policy, since no attributes rules are defined> After doing some digging, it seems like the SAML services use the RegexRegisteredService instead of the actual service when performing authentication. Now I am stuck, I have other SAML services that use the RegexRegisteredService, but I want to be able to limit authorization only in this specific service. Is there any other way to authorization at the CAS end for SAML services? Thanks, Mac Reid -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/198757d8-fb34-42b8-aeef-52cb52988d1f%40apereo.org.
