Artur, I think excludedAuthenticationHandlers is only for the authentication flow and not a policy for service access.
Take a look at, https://apereo.github.io/cas/6.3.x/services/Configuring-Service-Access-Strategy.html for service access policy. Ray On Wed, 2021-07-21 at 03:41 -0700, artur miś wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. Hello, - 3 handlers . - 2 services If i have in service AA "authenticationPolicy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy", "requiredAuthenticationHandlers" : ["java.util.TreeSet", ["a", "b" ]], "excludedAuthenticationHandlers" : ["java.util.TreeSet", ["c"]] and service BB "authenticationPolicy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy", "requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "a", "b", "c ]], "excludedAuthenticationHandlers" : ["java.util.TreeSet", []] At the beginning I tried auth to service AA (user is member of group for searchfilter handler c) - that's WORK i can't auth excludedAuthenticationHandlers" work in perfect way . Later, I started browse https://BB as the users like before from c handler. After loging into BB service i tried acces to http://AA/login and i was suprised i received accesc granted without wrinting password again . So "excludedAuthenticationHandlers" no work in this case if user was already authenticated before for service BB. How can i lock posibility auth user to service AA if he was authed to BB without switching off sso becouse i would like to have that sharing key to be work if i have user in b handler. Sample handler a: cas.authn.ldap[0].name=ktolet cas.authn.ldap[0].type=AUTHENTICATED cas.authn.ldap[0].ldapUrl=ldaps://fff:port cas.authn.ldap[0].baseDn=dc=fc,dc=int cas.authn.ldap[0].bindDn=ldap cas.authn.ldap[0].bindCredential=vgvb cas.authn.ldap[0].searchFilter=(&(memberOf=CN=gvSM. etc .)(sAMAccountName={user})) cas.authn.ldap[0].principalAttributeId=sAMAccountName -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/90032f93f1d9e3ef692e6b5044d55f00fdda7234.camel%40uvic.ca.
