There is nothing stopping a user from adding an existing allowed serviceId
into their host file pointing to 127.0.0.1. They'll be able to hit your
login page, maybe even able to generate a TGT/ST but the ST will fail on
samlValidate when cas tries to POST back to the serviceId.
I agree with the
I'm not sure if this would be less secure than any other service at least
from a brute force perspective. The user still has to log in to your CAS
instance. If you want to prevent brute forcing, you should employ some sort
of account lockout after so many failed attempts or the CAS authenticatio
