We have a mod_auth_cas installation where the CAS server on the other
end is sending us XML attributes in their response.  I don't have any
details on their CAS server version.  What I do know is that we are
using the serviceValidate url for validation.  The CAS server, in
question, does NOT have a samlValidate url option for us.

When a user authenticates to our application, we get a validation 
response from their CAS server that looks like this:

[Thu Feb 22 14:41:23.833837 2018] [:debug] [pid 21153]
mod_auth_cas.c(1838): [client 10.1.88.60:39852] Validation response:
<cas:serviceResponse
xmlns:cas="http://www.yale.edu/tp/cas";><cas:authenticationSuccess><cas:user>jdoe</cas:user><cn><![CDATA[---
 
- John Doe
]]></cn><campusstatus><![CDATA[--- 
- Staff
]]></campusstatus><sn><![CDATA[--- 
- Doe
]]></sn><departmentnumber><![CDATA[---
- Student Affairs
]]></departmentnumber><givenname><![CDATA[--- 
- John
]]></givenname></cas:authenticationSuccess></cas:serviceResponse>

As long as we use require valid-user, everything is fine, and users gain
access to the application.

My question, can mod_auth_cas work with these XML attributes
for authorization control, without having access to a samlValidate url
option?  For example, we would like to instruct Apache to limit access
to those users who have "Staff" in the the "<campusstatus>" element.

Thanks!
Bryan

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20180222211438.a7msutnisoldrwal%40mygeeto.inside.leepfrog.com.

Reply via email to