Hi Marcus,
If you are using 5.0.x or later , there should be a requiredAttributes field
mentioned in the doc
"https://apereo.github.io/cas/5.1.x/installation/Configuring-Service-Access-Strategy.html";.
You will need to group all your users that need the restriction to the same
service, then do something like below:
MyService-101.json
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "https://this-is-your-site.example.com";,
"name" : "My Service",
"id" : 101,
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"requireAllAttributes" : false,
"ssoEnabled" : true,
"requiredAttributes" : {
"@class" : "java.util.HashMap",
"requiredAttributeHere1" : [ "java.util.HashSet", [ ".+" ] ],
"requiredAttribute2" : [ "java.util.HashSet", [ ".+" ] ],
}
}}
Note: those restriction are regex supported, that's why I use .+.
Then route the user to the service like this:
https://sso.cas.mycas?service=https%3A%2F%2Fthis-is-your-site.example.com
When user attempt to login, the restriction of attribute should triggered.
Is this the kind of behavior you want to implement?
-Andy
On Saturday, 16 September 2017 04:17:54 UTC+8, Marcus Watkins wrote:
>
> Hi,
>
> We have two authentication methods -- LDAP and a third party SSO tool
> implemented as an AbstractNonInteractiveCredentialsAction.
>
> Our LDAP group config is nonstandard, so I've also implemented an
> attribute lookup by overriding the attributeRepositories bean with my own
> PersonAttributeDao to enumerate groups. This method has the added benefit
> of also triggering a lookup for the SSO users.
>
> So far so good, with both methods everyone comes across properly with
> attributes.
>
> Now, though, I have to somehow reject users if they don't have specific
> attribute values. I've been looking for the proper hook, and I thought it
> was going to be authenticationPolicyFactory, but its isSatisfiedBy never
> seems to be called. Before I started plugging breakpoints everywhere I
> thought I'd ask:
>
> Any suggestions on the cleanest way to hook in there to reject a user
> based on attribute values? Or have I done this all wrong?
>
> Thanks!
>
> -Marcus Watkins
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/fc35cddd-b443-4214-9cab-3dea3a934aec%40apereo.org.
