Folks,
Sorry for the likely stupid post, I swore I had sorted this prior. But I
have 3 authentication sources defined. LDAP, Radius and Google MFA.
I want to restrict a service to using - and most importantly trying -
only an explicitly configured service. I.e. If I say LDAP as the Auth
Resource, upon a failure I do _not_ want it to go ahead and try the
other resources.
In cas.properties I have:
cas.authn.policy.source-selection-enabled=false
cas.authn.policy.required-handler-authentication-policy-enabled=true
cas.authn.policy.req.try-all=false
and an example service definition as below:
{
"_id": {
"$numberLong": "9999999999999"
},
"serviceId": "xxxxxxxxxx",
"name": "SSO CAS Server",
"expirationPolicy": {
"deleteWhenExpired": false,
"notifyWhenDeleted": false,
"notifyWhenExpired": false,
"_class":
"org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy"
},
"acceptableUsagePolicy": {
"enabled": true,
"_class":
"org.apereo.cas.services.DefaultRegisteredServiceAcceptableUsagePolicy"
},
"proxyPolicy": {
"_class": "org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy"
},
"proxyTicketExpirationPolicy": {
"numberOfUses": {
"$numberLong": "0"
},
"_class":
"org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy"
},
"serviceTicketExpirationPolicy": {
"numberOfUses": {
"$numberLong": "0"
},
"_class":
"org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy"
},
"evaluationOrder": 99999,
"usernameAttributeProvider": {
"canonicalizationMode": "NONE",
"encryptUsername": false,
"_class":
"org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider"
},
"logoutType": "BACK_CHANNEL",
"environments": [],
"attributeReleasePolicy": {
"principalAttributesRepository": {
"mergingStrategy": "MULTIVALUED",
"attributeRepositoryIds": [],
"ignoreResolvedAttributes": false,
"_class":
"org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository"
},
"consentPolicy": {
"enabled": true,
"order": 0,
"_class":
"org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy"
},
"authorizedToReleaseCredentialPassword": false,
"authorizedToReleaseProxyGrantingTicket": false,
"excludeDefaultAttributes": false,
"authorizedToReleaseAuthenticationAttributes": true,
"order": 0,
"_class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"multifactorPolicy": {
"multifactorAuthenticationProviders": [],
"failureMode": "UNDEFINED",
"bypassEnabled": false,
"forceExecution": false,
"bypassTrustedDeviceEnabled": false,
"_class":
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy"
},
"accessStrategy": {
"order": 0,
"enabled": true,
"ssoEnabled": true,
"delegatedAuthenticationPolicy": {
"allowedProviders": [],
"permitUndefined": true,
"exclusive": false,
"_class":
"org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy"
},
"requireAllAttributes": true,
"requiredAttributes": {},
"rejectedAttributes": {},
"caseInsensitive": false,
"_class":
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy"
},
"authenticationPolicy": {
"requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "LDAP" ]],
"criteria": {
"tryAll": false,
"_class":
"org.apereo.cas.services.AllowedAuthenticationHandlersRegisteredServiceAuthenticationPolicyCriteria"
},
"_class":
"org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy"
},
"properties": {},
"contacts": [],
"_class": "org.apereo.cas.services.RegexRegisteredService"
}
What am I missing?
Thanks
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6e25c829-ed25-dc1d-762d-131af62419c7%40caveo.ca.
