[cas-user] Re: Exclusive Authentication Source

Thu, 02 Dec 2021 08:04:50 -0800

This is what I'm using...to be honest I can't seem to recall if this does not bother trying the other resources...I think it does what we originally wanted. 

 "authenticationPolicy": {
        "requiredAuthenticationHandlers": ["LDAP"],
        "criteria": {
            "tryAll": false,

            "_class": 
"org.apereo.cas.services.AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria"

        },

        "_class": 
"org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy"

    },

On 12/2/21 10:34 AM, artur miś wrote:

Have you find out solution ?

wtorek, 4 maja 2021 o 17:58:20 UTC+2 C Ryan napisał(a):

    Folks,


    Sorry for the likely stupid post, I swore I had sorted this prior.
    But I have 3 authentication sources defined. LDAP, Radius and
    Google MFA.

    I want to restrict a service to using - and most importantly
    trying - only an explicitly configured service. I.e. If I say LDAP
    as the Auth Resource, upon a failure I do _not_ want it to go
    ahead and try the other resources.


    In cas.properties I have:


    cas.authn.policy.source-selection-enabled=false

    cas.authn.policy.required-handler-authentication-policy-enabled=true

    cas.authn.policy.req.try-all=false


    and an example service definition as below:


    {

         "_id": {

             "$numberLong": "9999999999999"

         },

         "serviceId": "xxxxxxxxxx",

         "name": "SSO CAS Server",

         "expirationPolicy": {

             "deleteWhenExpired": false,

             "notifyWhenDeleted": false,

             "notifyWhenExpired": false,

             "_class": 
"org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy"

         },

         "acceptableUsagePolicy": {

             "enabled": true,

             "_class": 
"org.apereo.cas.services.DefaultRegisteredServiceAcceptableUsagePolicy"

         },

         "proxyPolicy": {

             "_class": 
"org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy"

         },

         "proxyTicketExpirationPolicy": {

             "numberOfUses": {

                 "$numberLong": "0"

             },

             "_class": 
"org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy"

         },

         "serviceTicketExpirationPolicy": {

             "numberOfUses": {

                 "$numberLong": "0"

             },

             "_class": 
"org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy"

         },

         "evaluationOrder": 99999,

         "usernameAttributeProvider": {

             "canonicalizationMode": "NONE",

             "encryptUsername": false,

             "_class": 
"org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider"

         },

         "logoutType": "BACK_CHANNEL",

         "environments": [],

         "attributeReleasePolicy": {

             "principalAttributesRepository": {

                 "mergingStrategy": "MULTIVALUED",

                 "attributeRepositoryIds": [],

                 "ignoreResolvedAttributes": false,

                 "_class": 
"org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository"

             },

             "consentPolicy": {

                 "enabled": true,

                 "order": 0,

                 "_class": 
"org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy"

             },

             "authorizedToReleaseCredentialPassword": false,

             "authorizedToReleaseProxyGrantingTicket": false,

             "excludeDefaultAttributes": false,

             "authorizedToReleaseAuthenticationAttributes": true,

             "order": 0,

             "_class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"

         },

         "multifactorPolicy": {

             "multifactorAuthenticationProviders": [],

             "failureMode": "UNDEFINED",

             "bypassEnabled": false,

             "forceExecution": false,

             "bypassTrustedDeviceEnabled": false,

             "_class": 
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy"

         },

         "accessStrategy": {

             "order": 0,

             "enabled": true,

             "ssoEnabled": true,

             "delegatedAuthenticationPolicy": {

                 "allowedProviders": [],

                 "permitUndefined": true,

                 "exclusive": false,

                 "_class": 
"org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy"

             },

             "requireAllAttributes": true,

             "requiredAttributes": {},

             "rejectedAttributes": {},

             "caseInsensitive": false,

             "_class": 
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy"

         },

         "authenticationPolicy": {

             "requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "LDAP" 
]],

             "criteria": {

                 "tryAll": false,

                 "_class": 
"org.apereo.cas.services.AllowedAuthenticationHandlersRegisteredServiceAuthenticationPolicyCriteria"

             },

             "_class": 
"org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy"

         },

         "properties": {},

         "contacts": [],

         "_class": "org.apereo.cas.services.RegexRegisteredService"

    }

    What am I missing?

    Thanks



--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG

--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c0291e2c-f52c-0b90-91f3-d4ee5e701fef%40caveo.ca.






















					Reply via email to