Robert,
Two different steps, two different configurations. Attributes for access may be
different from attributes the service needs/wants.
See, https://apereo.github.io/cas/6.2.x/integration/Attribute-Release.html, in
particular, attribute release policy.
Ray
On Fri, 2020-12-04 at 18:07 +0000, King, Robert wrote:
Notice: This message was sent from outside the University of Victoria email
system. Please be cautious with links and sensitive information.
CAS 6.1 server
LDAP authentication + built in principal resolution
I am running into what I think is an inexperience issue with service access
strategies. I am attempting to use principal attributes to grant access to a
service.
Service entry:
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^https://webappsqa.fqdn/castester/.*";,
"name" : "cas test",
"id" : 1,
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"ssoEnabled" : true,
"requireAllAtrributes" : true,
"requiredAttributes" :
{
"@class": "java.util.HashMap",
"memberOf" : [ "java.util.HashSet", [
"cn=cas_admin,ou=groups,dc=***,dc=***"] ],
},
"rejectedAttributes" :
{
"@class": "java.util.LinkedHashMap"
},
"caseInsensitive": false
},
}
When authenticating against the service I see the proper authentication and
service access enforcement.
=============================================================
WHO: robk
WHAT: Supplied credentials: [UsernamePasswordCredential(username=robk,
source=null, customFields={})]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=============================================================
=============================================================
WHO: robk
WHAT: [result=Service Access
Granted,service=https://webappsqa.fqdn/castester/...,principal=SimplePrincipal(id=robk,
attributes={memberOf=[
cn=cas_admin,ou=groups,dc=***,dc=***]}),requiredAttributes={memberOf=[cn=cas_admin,ou=groups,dc=***,dc=***]}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=============================================================
=============================================================
WHO: robk
WHAT: [result=Service Access
Granted,service=https://webappsqa.fqdn/castester/...,principal=SimplePrincipal(id=robk,
attributes={memberOf=[
cn=cas_admin,ou=groups,dc=***,dc=***]}),requiredAttributes={memberOf=[cn=cas_admin,ou=groups,dc=***,dc=***]}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=============================================================
=============================================================
WHO: robk
WHAT: TGT-2-*****3DWzf1qfRI-login-poc
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=============================================================
=============================================================
WHO: robk
WHAT: [result=Service Access
Granted,service=https://webappsqa.fqdn/castester/...,requiredAttributes={memberOf=[cn=cas_admin,ou=groups,dc=mun,dc=ca]}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=============================================================
=============================================================
WHO: robk
WHAT: ST-6-DCwJziCpUw2m9nnoyGtazuMcsdM-login-poc for
https://webappsqa.fqdn/castester/
ACTION: SERVICE_TICKET_CREATED
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=============================================================
Then when the service attempts to validate the ST it seems to run into an issue
where the principal does not have any attribute data. I have highlighted the
audit with the empty principal that I believe is the cause of the service
ticket validation to fail.
=============================================================
WHO: audit:unknown
WHAT: [result=Service Access
Denied,service=https://webappsqa.fqdn/castester/...,principal=SimplePrincipal(id=robk,
attributes={}),requiredAttributes={memberOf=[cn=cas_admin,ou=groups,dc=***,dc=***]}]
ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=============================================================
=============================================================
WHO: audit:unknown
WHAT: ST-6-DCwJziCpUw2m9nnoyGtazuMcsdM-login-poc for
https://webappsqa.fqdn/castester/
ACTION: SERVICE_TICKET_VALIDATE_FAILED
APPLICATION: CAS
WHEN: Fri Dec 04 13:12:51 NST 2020
CLIENT IP ADDRESS: ***.***.***.***
SERVER IP ADDRESS: ***.***.***.***
=============================================================
I am unsure as to why the principal is empty for the service when it is
validating the ST? Any help as to what I am missing?
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]<mailto:[email protected]>
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees, Esquimalt and
WSÁNEĆ Nations.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/b0bddf1c004c8d4d1c8062e432a42c6fe4552633.camel%40uvic.ca.
