On a hunch, I tried turning on the attribute caching in the service entry and it fixed the immediate issue.
This still leaves me a little puzzled. The documentation implies that the principal should have been cached with the length of the default SSO session. Time to keep digging. From: [email protected] <[email protected]> On Behalf Of Ray Bon Sent: Friday, December 4, 2020 4:51 PM To: [email protected] Subject: [EXTERNAL SENDER] Re: [cas-user] service access strategies and required attributes Robert, Two different steps, two different configurations. Attributes for access may be different from attributes the service needs/wants. See, https://apereo.github.io/cas/6.2.x/integration/Attribute-Release.html, in particular, attribute release policy. Ray On Fri, 2020-12-04 at 18:07 +0000, King, Robert wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. CAS 6.1 server LDAP authentication + built in principal resolution I am running into what I think is an inexperience issue with service access strategies. I am attempting to use principal attributes to grant access to a service. Service entry: { "@class" : "org.apereo.cas.services.RegexRegisteredService", "serviceId" : "^https://webappsqa.fqdn/castester/.*";, "name" : "cas test", "id" : 1, "accessStrategy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", "enabled" : true, "ssoEnabled" : true, "requireAllAtrributes" : true, "requiredAttributes" : { "@class": "java.util.HashMap", "memberOf" : [ "java.util.HashSet", [ "cn=cas_admin,ou=groups,dc=***,dc=***"] ], }, "rejectedAttributes" : { "@class": "java.util.LinkedHashMap" }, "caseInsensitive": false }, } When authenticating against the service I see the proper authentication and service access enforcement. ============================================================= WHO: robk WHAT: Supplied credentials: [UsernamePasswordCredential(username=robk, source=null, customFields={})] ACTION: AUTHENTICATION_SUCCESS APPLICATION: CAS WHEN: Fri Dec 04 13:12:51 NST 2020 CLIENT IP ADDRESS: ***.***.***.*** SERVER IP ADDRESS: ***.***.***.*** ============================================================= ============================================================= WHO: robk WHAT: [result=Service Access Granted,service=https://webappsqa.fqdn/castester/...,principal=SimplePrincipal(id=robk, attributes={memberOf=[ cn=cas_admin,ou=groups,dc=***,dc=***]}),requiredAttributes={memberOf=[cn=cas_admin,ou=groups,dc=***,dc=***]}] ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED APPLICATION: CAS WHEN: Fri Dec 04 13:12:51 NST 2020 CLIENT IP ADDRESS: ***.***.***.*** SERVER IP ADDRESS: ***.***.***.*** ============================================================= ============================================================= WHO: robk WHAT: [result=Service Access Granted,service=https://webappsqa.fqdn/castester/...,principal=SimplePrincipal(id=robk, attributes={memberOf=[ cn=cas_admin,ou=groups,dc=***,dc=***]}),requiredAttributes={memberOf=[cn=cas_admin,ou=groups,dc=***,dc=***]}] ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED APPLICATION: CAS WHEN: Fri Dec 04 13:12:51 NST 2020 CLIENT IP ADDRESS: ***.***.***.*** SERVER IP ADDRESS: ***.***.***.*** ============================================================= ============================================================= WHO: robk WHAT: TGT-2-*****3DWzf1qfRI-login-poc ACTION: TICKET_GRANTING_TICKET_CREATED APPLICATION: CAS WHEN: Fri Dec 04 13:12:51 NST 2020 CLIENT IP ADDRESS: ***.***.***.*** SERVER IP ADDRESS: ***.***.***.*** ============================================================= ============================================================= WHO: robk WHAT: [result=Service Access Granted,service=https://webappsqa.fqdn/castester/...,requiredAttributes={memberOf=[cn=cas_admin,ou=groups,dc=mun,dc=ca]}] ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED APPLICATION: CAS WHEN: Fri Dec 04 13:12:51 NST 2020 CLIENT IP ADDRESS: ***.***.***.*** SERVER IP ADDRESS: ***.***.***.*** ============================================================= ============================================================= WHO: robk WHAT: ST-6-DCwJziCpUw2m9nnoyGtazuMcsdM-login-poc for https://webappsqa.fqdn/castester/ ACTION: SERVICE_TICKET_CREATED APPLICATION: CAS WHEN: Fri Dec 04 13:12:51 NST 2020 CLIENT IP ADDRESS: ***.***.***.*** SERVER IP ADDRESS: ***.***.***.*** ============================================================= Then when the service attempts to validate the ST it seems to run into an issue where the principal does not have any attribute data. I have highlighted the audit with the empty principal that I believe is the cause of the service ticket validation to fail. ============================================================= WHO: audit:unknown WHAT: [result=Service Access Denied,service=https://webappsqa.fqdn/castester/...,principal=SimplePrincipal(id=robk, attributes={}),requiredAttributes={memberOf=[cn=cas_admin,ou=groups,dc=***,dc=***]}] ACTION: SERVICE_ACCESS_ENFORCEMENT_TRIGGERED APPLICATION: CAS WHEN: Fri Dec 04 13:12:51 NST 2020 CLIENT IP ADDRESS: ***.***.***.*** SERVER IP ADDRESS: ***.***.***.*** ============================================================= ============================================================= WHO: audit:unknown WHAT: ST-6-DCwJziCpUw2m9nnoyGtazuMcsdM-login-poc for https://webappsqa.fqdn/castester/ ACTION: SERVICE_TICKET_VALIDATE_FAILED APPLICATION: CAS WHEN: Fri Dec 04 13:12:51 NST 2020 CLIENT IP ADDRESS: ***.***.***.*** SERVER IP ADDRESS: ***.***.***.*** ============================================================= I am unsure as to why the principal is empty for the service when it is validating the ST? Any help as to what I am missing? -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected]<mailto:[email protected]> I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b0bddf1c004c8d4d1c8062e432a42c6fe4552633.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/b0bddf1c004c8d4d1c8062e432a42c6fe4552633.camel%40uvic.ca?utm_medium=email&utm_source=footer>. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/cddf58f66b4b4f78a4f3b64d8d4abc1e%40mun.ca.
