My service is test-1.json
{ "@class": "org.apereo.cas.services.RegexRegisteredService", "serviceId": "^(http|https|imaps)://serwis.org/casphp*", "name": "test", "id": 1, "description": "Straggle Today!", "authenticationPolicy": { "requiredAuthenticationHandlers": ["java.util.TreeSet", [ "everest" ]], "criteria": { "try-All": false, <- this probablly shoud make magic but it didn't "@class": "org.apereo.cas.services.AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria" }, "@class": "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy" } } I am not included in cas.propierties any directive like cas.auth.policy.<xxx>: cas.authn.policy.any.try-All or cas.authn.policy.all.enabled or cas.authn.policy.source-selection-enabled or cas.authn.policy.required-handler-authentication-policy-enabled My version Cas-overlay is 6.3.2 on docker ,I have 3 AD handlers and i test nonserviced login via https://exaple.org/casphp and i can see that some times it use ppm handler or second everest one becouse userx is in both it semms to be ok.If i test fore service via REST API (becouse for this sandbox cas i not conected any servis phisicaly yet so i test it via comand line but it doesn't seem be a reason of problems),but i trully blieve that you have some hack to manage it. TEST curl: from server side: cat api_test.bash #!/bin/bash ff=`curl -k -X POST -H 'Content-Type: Application/x-www-form-urlencoded' -H 'Accept: applications/json' https://example.org/casphp/v1/tickets -d 'username=userx&password=xxx'` echo $ff dd="curl -X POST -H \"Content-Type: Application/x-www-form-urlencoded\" -H \"Accept: application/json\" https://example.org/casphp/v1/tickets/"$ff"?service=https://serwis.org/casphp" echo "dd:$dd" st=`$dd` echo "$st" vv="curl -k https://example.org/casphp/p3/serviceValidate?service=https://serwice.org/casphp&ticket="$st echo "|$vv|" output=`$vv`1 echo "|$output|" So i received: |<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'> <cas:authenticationSuccess> <cas:user>userx</cas:user> <cas:attributes> <cas:credentialType>UsernamePasswordCredential</cas:credentialType> <cas:isFromNewLogin>true</cas:isFromNewLogin> <cas:authenticationDate>2021-12-03T11:25:14.792314Z</cas:authenticationDate> <cas:authenticationMethod>ppm</cas:authenticationMethod> <cas:successfulAuthenticationHandlers>ppm</cas:successfulAuthenticationHandlers> < - here i want to have deterministic everest ( not sometimes ppm or everest ) <cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed> </cas:attributes> </cas:authenticationSuccess> </cas:serviceResponse>| Restult is not deterministic .User is receiving auth sometimes from ppm sometimes from everest . I dicsovered that if i restart cas container : I coud have ppm and it seems that to te next restart keep ppm handler .If i meke next restart od cas i can have ppm or everest. Between restart it looks like it keep handler chosed at the begginig. It is litle bit magic for me. piątek, 3 grudnia 2021 o 08:58:43 UTC+1 artur miś napisał(a): > Could you please if you can show cas.auth.policies too ,you have > connectet to this solution ? > > AM > czwartek, 2 grudnia 2021 o 17:04:45 UTC+1 C Ryan napisał(a): > >> This is what I'm using...to be honest I can't seem to recall if this does >> not bother trying the other resources...I think it does what we originally >> wanted. >> >> >> "authenticationPolicy": { >> "requiredAuthenticationHandlers": ["LDAP"], >> "criteria": { >> "tryAll": false, >> "_class": >> "org.apereo.cas.services.AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria" >> }, >> "_class": >> "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy" >> }, >> On 12/2/21 10:34 AM, artur miś wrote: >> >> Have you find out solution ? >> >> wtorek, 4 maja 2021 o 17:58:20 UTC+2 C Ryan napisał(a): >> >>> Folks, >>> >>> >>> Sorry for the likely stupid post, I swore I had sorted this prior. But I >>> have 3 authentication sources defined. LDAP, Radius and Google MFA. >>> >>> I want to restrict a service to using - and most importantly trying - >>> only an explicitly configured service. I.e. If I say LDAP as the Auth >>> Resource, upon a failure I do _not_ want it to go ahead and try the other >>> resources. >>> >>> >>> In cas.properties I have: >>> >>> >>> cas.authn.policy.source-selection-enabled=false >>> >>> cas.authn.policy.required-handler-authentication-policy-enabled=true >>> >>> cas.authn.policy.req.try-all=false >>> >>> >>> and an example service definition as below: >>> >>> >>> { >>> >>> "_id": { >>> >>> "$numberLong": "9999999999999" >>> >>> }, >>> >>> "serviceId": "xxxxxxxxxx", >>> >>> "name": "SSO CAS Server", >>> >>> "expirationPolicy": { >>> >>> "deleteWhenExpired": false, >>> >>> "notifyWhenDeleted": false, >>> >>> "notifyWhenExpired": false, >>> >>> "_class": >>> "org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy" >>> >>> }, >>> >>> "acceptableUsagePolicy": { >>> >>> "enabled": true, >>> >>> "_class": >>> "org.apereo.cas.services.DefaultRegisteredServiceAcceptableUsagePolicy" >>> >>> }, >>> >>> "proxyPolicy": { >>> >>> "_class": >>> "org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy" >>> >>> }, >>> >>> "proxyTicketExpirationPolicy": { >>> >>> "numberOfUses": { >>> >>> "$numberLong": "0" >>> >>> }, >>> >>> "_class": >>> "org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy" >>> >>> }, >>> >>> "serviceTicketExpirationPolicy": { >>> >>> "numberOfUses": { >>> >>> "$numberLong": "0" >>> >>> }, >>> >>> "_class": >>> "org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy" >>> >>> }, >>> >>> "evaluationOrder": 99999, >>> >>> "usernameAttributeProvider": { >>> >>> "canonicalizationMode": "NONE", >>> >>> "encryptUsername": false, >>> >>> "_class": >>> "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider" >>> >>> }, >>> >>> "logoutType": "BACK_CHANNEL", >>> >>> "environments": [], >>> >>> "attributeReleasePolicy": { >>> >>> "principalAttributesRepository": { >>> >>> "mergingStrategy": "MULTIVALUED", >>> >>> "attributeRepositoryIds": [], >>> >>> "ignoreResolvedAttributes": false, >>> >>> "_class": >>> "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository" >>> >>> }, >>> >>> "consentPolicy": { >>> >>> "enabled": true, >>> >>> "order": 0, >>> >>> "_class": >>> "org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy" >>> >>> }, >>> >>> "authorizedToReleaseCredentialPassword": false, >>> >>> "authorizedToReleaseProxyGrantingTicket": false, >>> >>> "excludeDefaultAttributes": false, >>> >>> "authorizedToReleaseAuthenticationAttributes": true, >>> >>> "order": 0, >>> >>> "_class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy" >>> >>> }, >>> >>> "multifactorPolicy": { >>> >>> "multifactorAuthenticationProviders": [], >>> >>> "failureMode": "UNDEFINED", >>> >>> "bypassEnabled": false, >>> >>> "forceExecution": false, >>> >>> "bypassTrustedDeviceEnabled": false, >>> >>> "_class": >>> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy" >>> >>> }, >>> >>> "accessStrategy": { >>> >>> "order": 0, >>> >>> "enabled": true, >>> >>> "ssoEnabled": true, >>> >>> "delegatedAuthenticationPolicy": { >>> >>> "allowedProviders": [], >>> >>> "permitUndefined": true, >>> >>> "exclusive": false, >>> >>> "_class": >>> "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy" >>> >>> }, >>> >>> "requireAllAttributes": true, >>> >>> "requiredAttributes": {}, >>> >>> "rejectedAttributes": {}, >>> >>> "caseInsensitive": false, >>> >>> "_class": >>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy" >>> >>> }, >>> >>> "authenticationPolicy": { >>> >>> "requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "LDAP" >>> ]], >>> >>> "criteria": { >>> >>> "tryAll": false, >>> >>> "_class": >>> "org.apereo.cas.services.AllowedAuthenticationHandlersRegisteredServiceAuthenticationPolicyCriteria" >>> >>> }, >>> >>> "_class": >>> "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy" >>> >>> }, >>> >>> "properties": {}, >>> >>> "contacts": [], >>> >>> "_class": "org.apereo.cas.services.RegexRegisteredService" >>> >>> } >>> >>> What am I missing? >>> >>> Thanks >>> >>> -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/46124c34-aa43-4a3c-bbd5-a7090f7fcd4en%40apereo.org.