So this is the current format of this configuration, I'm using the
wildcard and the /cas/login page itself to simply verify things.
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(https|imaps)://.*",
"name" : "HTTPS and IMAPS",
"id" : 10000001,
"evaluationOrder": 99999
"authenticationPolicy":
{
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy",
"requiredAuthenticationHandlers": ["java.util.TreeSet", ["Radius"]],
"excludedAuthenticationHandlers": ["java.util.TreeSet", ["LDAP"]]
}
}
I've also put the following in cas.properties
cas.authn.policy.required-handler-authentication-policy-enabled=true
It is still permitting authentication via the LDAP resource.
At a global level it works, I I do the, for example,
cas.authn.policy.req.try-all=false
cas.authn.policy.req.handler-name=Radius
cas.authn.policy.req.enabled=true
and in this configuration Radius and only Radius will auth.
Not sure where else to look.
Colin
On 10/21/20 7:06 AM, Colin Ryan wrote:
Ray,
That's where I picked up the configurations for what I've been trying
but it seems like it's still falling through past the Handler I want
to be required.
Was just wondering if I'm misinterpreting the need for or the context
of using the criteria configurations as well.
The configuration example I outlined is basically pulled from that page.
Colin
On 10/20/20 5:48 PM, Ray Bon wrote:
Colin,
Could this be what your are looking for,
https://apereo.github.io/cas/6.2.x/services/Configuring-Service-AuthN-Policy.html
<https://apereo.github.io/cas/6.2.x/services/Configuring-Service-AuthN-Policy.html>
Ray
On Tue, 2020-10-20 at 14:24 -0400, Colin Ryan wrote:
Notice: This message was sent from outside the University of
Victoria email system. Please be cautious with links and sensitive
information.
Folks,
I have 2 authentication sources. I have services that I want
strictly to only accept success via a specific source. Even if the
same credential pair could succeed in either.
I've been trying to user the "newer"? authenticationPolicy
approaches as the logs in my 6.2.3 builds were warning about
deprecation of the requiredAuth configurations.
So I have LDAP and Radius both backed by the same LDAP but for other
reasons I want a particular policy to specifically require
authentication to one or the other.
So to force Radius only to be accepted in a service definition I've
tried the below. But if for example, I fail on the Radius auth and
then try again it ends up Authenticating against LDAP1.
Missing something?
authenticationPolicy:
{
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy",
"requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "Radius" ]],
criteria": {
"@class":
"org.apereo.cas.services.AllowedAuthenticationHandlersRegisteredServiceAuthenticationPolicyCriteria"
}
}
Thanks
Colin
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected] <mailto:[email protected]>
I respectfully acknowledge that my place of work is located within
the ancestral, traditional and unceded territory of the Songhees,
Esquimalt and WSÁNEĆ Nations.
--
- Website: https://apereo.github.io/cas <https://apereo.github.io/cas>
- Gitter Chatroom: https://gitter.im/apereo/cas
<https://gitter.im/apereo/cas>
- List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
- Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2cc902b81b87bb8b64c476842c72dc9451089ae2.camel%40uvic.ca
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/2cc902b81b87bb8b64c476842c72dc9451089ae2.camel%40uvic.ca?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas <https://apereo.github.io/cas>
- Gitter Chatroom: https://gitter.im/apereo/cas
<https://gitter.im/apereo/cas>
- List Guidelines: https://goo.gl/1VRrw7 <https://goo.gl/1VRrw7>
- Contributions: https://goo.gl/mh7qDG <https://goo.gl/mh7qDG>
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/cc75a06d-7d74-8398-f56c-e60c450783dd%40caveo.ca
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/cc75a06d-7d74-8398-f56c-e60c450783dd%40caveo.ca?utm_medium=email&utm_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/77aedc37-91ea-39c8-4521-bded390f35fa%40caveo.ca.
