[cas-user] Cas 6.3.2 services . User One loged to service1 why has he been authed to servise 2 if i use excludeAuthHandlers

Wed, 21 Jul 2021 03:41:42 -0700 

Hello,

- 3 handlers .
- 2 services

If i have in service AA

"authenticationPolicy" : {
    "@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy",
    "requiredAuthenticationHandlers" : ["java.util.TreeSet", ["a",  "b" ]],
    "excludedAuthenticationHandlers" : ["java.util.TreeSet", ["c"]]


and 


service BB

"authenticationPolicy" : {
    "@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy",
    "requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "a", "b", "c 
]],
    "excludedAuthenticationHandlers" : ["java.util.TreeSet", []]



At the beginning  I tried auth to service AA  (user is member of group  for 
searchfilter handler c) - that's  WORK i can't auth     
excludedAuthenticationHandlers"  work in perfect way   . Later, I started  
browse  https://BB   as the users like before  from c handler. After loging 
into BB service i  tried acces  to http://AA/login  and  i was suprised  i  
received  accesc granted without   wrinting  password again .
So  "excludedAuthenticationHandlers" no work in this case   if user was  
already authenticated  before for service BB.
How can i lock posibility auth  user to service AA  if he was authed  to BB 
without switching off sso becouse  i would like  to have that sharing key 
to be work if i have  user  in  b handler.


Sample handler a:
cas.authn.ldap[0].name=ktolet
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldaps://fff:port
cas.authn.ldap[0].baseDn=dc=fc,dc=int
cas.authn.ldap[0].bindDn=ldap
cas.authn.ldap[0].bindCredential=vgvb
cas.authn.ldap[0].searchFilter=(&(memberOf=CN=gvSM. etc 
.)(sAMAccountName={user}))
cas.authn.ldap[0].principalAttributeId=sAMAccountName

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/8728ba8e-7e7b-4df2-b53f-a41d08323422n%40apereo.org.

Reply via email to