Pablo,
We have a config similar to this for a particular service:
{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "https://service.example.net/login/saml2";,
"id": 1000,
"evaluationOrder": 1000,
"name": "DocuSign",
"description": "An example service.",
"attributeReleasePolicy": {
"@class":
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes": [
"java.util.ArrayList",
[
"eduPersonEntitlement"
]
],
"attributeFilter": {
"@class":
"org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter",
"completeMatch": false,
"excludeUnmappedAttributes": false,
"order": 0,
"patterns": {
"@class": "java.util.HashMap",
"eduPersonEntitlement": "^
https://service.example.net/authorized$";
}
}
},
"accessStrategy": {
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"unauthorizedRedirectUrl": "
https://cas.example.org/cas/html/403.html";,
"requiredAttributes": {
"@class": "java.util.HashMap",
"eduPersonEntitlement": [
"java.util.HashSet",
[
"https://service.example.net/authorized";
]
]
}
},
"logo": "https://cdn.lafayette.edu/images/logos/docusign-100x100.png";,
"properties": {
"@class": "java.util.HashMap",
"InformationURL": {
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values": [
"java.util.HashSet",
[
"https://help.example.org/service-example-net";
]
]
}
}
}
The idea is to just redirect to an "Unauthorized" page if the principal
does not have the required entitlement for the service. There are other
actions you can take as well, though you'd have to check the CAS docs to
see what those are.
Thanks,
Carl Waldbieser
ITS
Lafayette College
On Wed, Jan 26, 2022 at 10:35 PM Pablo Vidaurri <[email protected]>
wrote:
> Currently using standalone shib. I have a configuration in flow/intercept
> to check for a user attribute. If it is not a certain value, then we deny
> him access to the app he trying to log into. Shib allows me to define the
> entity-id in rely party to force this check, so I can decide which service
> needs this attribute set.
>
> Now, trying to use CAS-Shib. How can I do the same?
> 1) Check user attribute, if not value "X" then display message that he
> needs to do something first.
> 2) Be able to define which SAML service needs this attribute set.
>
> Thanks.
> -psv
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c29502f-388f-4e2a-b99f-8eb5591dab48n%40apereo.org
> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c29502f-388f-4e2a-b99f-8eb5591dab48n%40apereo.org?utm_medium=email&utm_source=footer>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbOoyoBvLJ8owSHFoCLX9ONnomVEDA08MKJyw5DCfEj2tg%40mail.gmail.com.
![https://cdn.lafayette.edu/images/logos/docusign-100x100.png"](https://cdn.lafayette.edu/images/logos/docusign-100x100.png"){kind=link}