Dear C Ryan,
I have made some new test with:
"try-All": true
or
"tryAll": true
user kowalski has credentials in handers:ppm and everest.
{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "^(http|https|imaps)://serwis.org/casphp*",
"name": "Test",
"id": 1,
"description": "Straggle Today!",
"authenticationPolicy": {
"requiredAuthenticationHandlers": ["java.util.TreeSet", [ "everest"
]],
"criteria": {
"tryAll": true OR "tryAll": true
"@class":
"org.apereo.cas.services.AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria"
},
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy"
}
}
With cas.propierties:
cas.authn.policy.required-handler-authentication-policy-enabled=true
Shortcut Debug log from CAS :
Examining credential is not deterministic ,sometimes it strats from
handler ppm , sometimes from everest_365 , sometimes everest (probaly it
is normal or mayby i could put <handler>.order=0 but it seems to
be not enough , i would like thet servise launch handler in deterministic
way ) . This small example is showing how it comes in my case:
2021-12-03 16:31:11,779 DEBUG
[org.apereo.cas.authentication.handler.support.AbstractUsernamePasswordAuthenticationHandler]
- <Examining credential [UsernamePasswordCredential(username=kowalski,
source=null, customFields={})] eligibility for authentication handler [ppm]>
Here i cant see any probe to Examine credential do everest handler (
After it had achived ppm it was not trying any exmination other
handlers - one positive is that kowalski is not able use credential from
ppm to log to serwis.org/casphp )
Ready go father...
2021-12-03 16:31:11,854 DEBUG
[org.apereo.cas.authentication.policy.AtLeastOneCredentialValidatedAuthenticationPolicy]
- <Authentication policy is satisfied having found at least one
authentication transactions>
...
2021-12-03 16:31:12,063 DEBUG
[org.apereo.cas.authentication.policy.RequiredHandlerAuthenticationPolicyFactory]
- <Required authentication handlers for this service [Test] are [[everest]]>
2021-12-03 16:31:12,064 INFO
[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: kowalski
WHAT: https://serwice.org/casphp
ACTION: SERVICE_TICKET_NOT_CREATED
APPLICATION: CAS
WHEN: Fri Dec 03 16:31:12 GMT 2021
CLIENT IP ADDRESS: *****
SERVER IP ADDRESS: ****
=============================================================
>
Is is look like cas doesn't event try examine other handlers , but why
i have included tryAll or try-All in json file ? .
What more , i have seen that if cas examine first i.e everest_365 where
kowalski has not got credentials , cas is switched to next handler it
started examine next handlers. If it is ppm , user is succesfully
authenticated and no more action with everest is made.
I dont know if i explained well . Anyway thank you if you have time to
waste on this topic.
piątek, 3 grudnia 2021 o 12:59:32 UTC+1 artur miś napisał(a):
> My service is test-1.json
>
>
> {
> "@class": "org.apereo.cas.services.RegexRegisteredService",
> "serviceId": "^(http|https|imaps)://serwis.org/casphp*",
> "name": "test",
> "id": 1,
> "description": "Straggle Today!",
> "authenticationPolicy": {
> "requiredAuthenticationHandlers": ["java.util.TreeSet", [
> "everest" ]],
> "criteria": {
> "try-All": false, <- this probablly shoud make magic but it
> didn't
> "@class":
> "org.apereo.cas.services.AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria"
> },
> "@class":
> "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy"
> }
> }
>
>
> I am not included in cas.propierties any directive like
> cas.auth.policy.<xxx>:
>
> cas.authn.policy.any.try-All
> or
> cas.authn.policy.all.enabled
> or
> cas.authn.policy.source-selection-enabled
> or
> cas.authn.policy.required-handler-authentication-policy-enabled
>
>
>
> My version Cas-overlay is 6.3.2 on docker ,I have 3 AD handlers and
> i test nonserviced login via https://exaple.org/casphp and i can see
> that some times it use ppm handler or second everest one becouse
> userx is in both it semms to be ok.If i test fore service via REST API
> (becouse for this sandbox cas i not conected any servis phisicaly yet so
> i test it via comand line but it doesn't seem be a reason of
> problems),but i trully blieve that you have some hack to manage it.
>
>
>
> TEST curl:
> from server side:
> cat api_test.bash
> #!/bin/bash
> ff=`curl -k -X POST -H 'Content-Type: Application/x-www-form-urlencoded'
> -H 'Accept: applications/json' https://example.org/casphp/v1/tickets -d
> 'username=userx&password=xxx'`
> echo $ff
> dd="curl -X POST -H \"Content-Type: Application/x-www-form-urlencoded\" -H
> \"Accept: application/json\" https://example.org/casphp/v1/tickets/
> "$ff"?service=https://serwis.org/casphp";
> echo "dd:$dd"
> st=`$dd`
> echo "$st"
> vv="curl -k
> https://example.org/casphp/p3/serviceValidate?service=https://serwice.org/casphp&ticket=
> "$st
> echo "|$vv|"
> output=`$vv`1
> echo "|$output|"
>
> So i received:
>
> |<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
> <cas:authenticationSuccess>
> <cas:user>userx</cas:user>
> <cas:attributes>
>
> <cas:credentialType>UsernamePasswordCredential</cas:credentialType>
> <cas:isFromNewLogin>true</cas:isFromNewLogin>
>
> <cas:authenticationDate>2021-12-03T11:25:14.792314Z</cas:authenticationDate>
> <cas:authenticationMethod>ppm</cas:authenticationMethod>
>
> <cas:successfulAuthenticationHandlers>ppm</cas:successfulAuthenticationHandlers>
>
> < - here i want to have deterministic everest ( not sometimes ppm or
> everest )
>
> <cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed>
> </cas:attributes>
> </cas:authenticationSuccess>
> </cas:serviceResponse>|
>
>
> Restult is not deterministic .User is receiving auth sometimes from ppm
> sometimes from everest . I dicsovered that if i restart cas container : I
> coud have ppm and it seems that to te next restart keep ppm handler .If
> i meke next restart od cas i can have ppm or everest. Between restart it
> looks like it keep handler chosed at the begginig. It is litle bit magic
> for me.
>
>
>
>
>
>
>
> piątek, 3 grudnia 2021 o 08:58:43 UTC+1 artur miś napisał(a):
>
>> Could you please if you can show cas.auth.policies too ,you have
>> connectet to this solution ?
>>
>> AM
>> czwartek, 2 grudnia 2021 o 17:04:45 UTC+1 C Ryan napisał(a):
>>
>>> This is what I'm using...to be honest I can't seem to recall if this
>>> does not bother trying the other resources...I think it does what we
>>> originally wanted.
>>>
>>>
>>> "authenticationPolicy": {
>>> "requiredAuthenticationHandlers": ["LDAP"],
>>> "criteria": {
>>> "tryAll": false,
>>> "_class":
>>> "org.apereo.cas.services.AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria"
>>> },
>>> "_class":
>>> "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy"
>>> },
>>> On 12/2/21 10:34 AM, artur miś wrote:
>>>
>>> Have you find out solution ?
>>>
>>> wtorek, 4 maja 2021 o 17:58:20 UTC+2 C Ryan napisał(a):
>>>
>>>> Folks,
>>>>
>>>>
>>>> Sorry for the likely stupid post, I swore I had sorted this prior. But
>>>> I have 3 authentication sources defined. LDAP, Radius and Google MFA.
>>>>
>>>> I want to restrict a service to using - and most importantly trying -
>>>> only an explicitly configured service. I.e. If I say LDAP as the Auth
>>>> Resource, upon a failure I do _not_ want it to go ahead and try the other
>>>> resources.
>>>>
>>>>
>>>> In cas.properties I have:
>>>>
>>>>
>>>> cas.authn.policy.source-selection-enabled=false
>>>>
>>>> cas.authn.policy.required-handler-authentication-policy-enabled=true
>>>>
>>>> cas.authn.policy.req.try-all=false
>>>>
>>>>
>>>> and an example service definition as below:
>>>>
>>>>
>>>> {
>>>>
>>>> "_id": {
>>>>
>>>> "$numberLong": "9999999999999"
>>>>
>>>> },
>>>>
>>>> "serviceId": "xxxxxxxxxx",
>>>>
>>>> "name": "SSO CAS Server",
>>>>
>>>> "expirationPolicy": {
>>>>
>>>> "deleteWhenExpired": false,
>>>>
>>>> "notifyWhenDeleted": false,
>>>>
>>>> "notifyWhenExpired": false,
>>>>
>>>> "_class":
>>>> "org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy"
>>>>
>>>> },
>>>>
>>>> "acceptableUsagePolicy": {
>>>>
>>>> "enabled": true,
>>>>
>>>> "_class":
>>>> "org.apereo.cas.services.DefaultRegisteredServiceAcceptableUsagePolicy"
>>>>
>>>> },
>>>>
>>>> "proxyPolicy": {
>>>>
>>>> "_class":
>>>> "org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy"
>>>>
>>>> },
>>>>
>>>> "proxyTicketExpirationPolicy": {
>>>>
>>>> "numberOfUses": {
>>>>
>>>> "$numberLong": "0"
>>>>
>>>> },
>>>>
>>>> "_class":
>>>> "org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy"
>>>>
>>>> },
>>>>
>>>> "serviceTicketExpirationPolicy": {
>>>>
>>>> "numberOfUses": {
>>>>
>>>> "$numberLong": "0"
>>>>
>>>> },
>>>>
>>>> "_class":
>>>> "org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy"
>>>>
>>>> },
>>>>
>>>> "evaluationOrder": 99999,
>>>>
>>>> "usernameAttributeProvider": {
>>>>
>>>> "canonicalizationMode": "NONE",
>>>>
>>>> "encryptUsername": false,
>>>>
>>>> "_class":
>>>> "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider"
>>>>
>>>> },
>>>>
>>>> "logoutType": "BACK_CHANNEL",
>>>>
>>>> "environments": [],
>>>>
>>>> "attributeReleasePolicy": {
>>>>
>>>> "principalAttributesRepository": {
>>>>
>>>> "mergingStrategy": "MULTIVALUED",
>>>>
>>>> "attributeRepositoryIds": [],
>>>>
>>>> "ignoreResolvedAttributes": false,
>>>>
>>>> "_class":
>>>> "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository"
>>>>
>>>> },
>>>>
>>>> "consentPolicy": {
>>>>
>>>> "enabled": true,
>>>>
>>>> "order": 0,
>>>>
>>>> "_class":
>>>> "org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy"
>>>>
>>>> },
>>>>
>>>> "authorizedToReleaseCredentialPassword": false,
>>>>
>>>> "authorizedToReleaseProxyGrantingTicket": false,
>>>>
>>>> "excludeDefaultAttributes": false,
>>>>
>>>> "authorizedToReleaseAuthenticationAttributes": true,
>>>>
>>>> "order": 0,
>>>>
>>>> "_class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
>>>>
>>>> },
>>>>
>>>> "multifactorPolicy": {
>>>>
>>>> "multifactorAuthenticationProviders": [],
>>>>
>>>> "failureMode": "UNDEFINED",
>>>>
>>>> "bypassEnabled": false,
>>>>
>>>> "forceExecution": false,
>>>>
>>>> "bypassTrustedDeviceEnabled": false,
>>>>
>>>> "_class":
>>>> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy"
>>>>
>>>> },
>>>>
>>>> "accessStrategy": {
>>>>
>>>> "order": 0,
>>>>
>>>> "enabled": true,
>>>>
>>>> "ssoEnabled": true,
>>>>
>>>> "delegatedAuthenticationPolicy": {
>>>>
>>>> "allowedProviders": [],
>>>>
>>>> "permitUndefined": true,
>>>>
>>>> "exclusive": false,
>>>>
>>>> "_class":
>>>> "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy"
>>>>
>>>> },
>>>>
>>>> "requireAllAttributes": true,
>>>>
>>>> "requiredAttributes": {},
>>>>
>>>> "rejectedAttributes": {},
>>>>
>>>> "caseInsensitive": false,
>>>>
>>>> "_class":
>>>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy"
>>>>
>>>> },
>>>>
>>>> "authenticationPolicy": {
>>>>
>>>> "requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "LDAP"
>>>> ]],
>>>>
>>>> "criteria": {
>>>>
>>>> "tryAll": false,
>>>>
>>>> "_class":
>>>> "org.apereo.cas.services.AllowedAuthenticationHandlersRegisteredServiceAuthenticationPolicyCriteria"
>>>>
>>>> },
>>>>
>>>> "_class":
>>>> "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy"
>>>>
>>>> },
>>>>
>>>> "properties": {},
>>>>
>>>> "contacts": [],
>>>>
>>>> "_class": "org.apereo.cas.services.RegexRegisteredService"
>>>>
>>>> }
>>>>
>>>> What am I missing?
>>>>
>>>> Thanks
>>>>
>>>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/f285166b-b54a-4681-b38f-f3a1ee974529n%40apereo.org.
