Perfect, that was exactly what I was looking for. Not sure how I missed
this in the documentation.
On Thursday, January 27, 2022 at 9:00:49 AM UTC-6 waldbiec wrote:
> Pablo,
>
> We have a config similar to this for a particular service:
>
> {
> "@class": "org.apereo.cas.services.RegexRegisteredService",
> "serviceId": "https://service.example.net/login/saml2";,
> "id": 1000,
> "evaluationOrder": 1000,
> "name": "DocuSign",
> "description": "An example service.",
> "attributeReleasePolicy": {
> "@class":
> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
> "allowedAttributes": [
> "java.util.ArrayList",
> [
> "eduPersonEntitlement"
> ]
> ],
> "attributeFilter": {
> "@class":
> "org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter",
> "completeMatch": false,
> "excludeUnmappedAttributes": false,
> "order": 0,
> "patterns": {
> "@class": "java.util.HashMap",
> "eduPersonEntitlement": "^
> https://service.example.net/authorized$";
> }
> }
> },
> "accessStrategy": {
> "@class":
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
> "unauthorizedRedirectUrl": "
> https://cas.example.org/cas/html/403.html";,
> "requiredAttributes": {
> "@class": "java.util.HashMap",
> "eduPersonEntitlement": [
> "java.util.HashSet",
> [
> "https://service.example.net/authorized";
> ]
> ]
> }
> },
> "logo": "https://cdn.lafayette.edu/images/logos/docusign-100x100.png";,
> "properties": {
> "@class": "java.util.HashMap",
> "InformationURL": {
> "@class":
> "org.apereo.cas.services.DefaultRegisteredServiceProperty",
> "values": [
> "java.util.HashSet",
> [
> "https://help.example.org/service-example-net";
> ]
> ]
> }
> }
> }
>
>
> The idea is to just redirect to an "Unauthorized" page if the principal
> does not have the required entitlement for the service. There are other
> actions you can take as well, though you'd have to check the CAS docs to
> see what those are.
>
> Thanks,
> Carl Waldbieser
> ITS
> Lafayette College
>
> On Wed, Jan 26, 2022 at 10:35 PM Pablo Vidaurri <[email protected]>
> wrote:
>
>> Currently using standalone shib. I have a configuration in flow/intercept
>> to check for a user attribute. If it is not a certain value, then we deny
>> him access to the app he trying to log into. Shib allows me to define the
>> entity-id in rely party to force this check, so I can decide which service
>> needs this attribute set.
>>
>> Now, trying to use CAS-Shib. How can I do the same?
>> 1) Check user attribute, if not value "X" then display message that he
>> needs to do something first.
>> 2) Be able to define which SAML service needs this attribute set.
>>
>> Thanks.
>> -psv
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c29502f-388f-4e2a-b99f-8eb5591dab48n%40apereo.org
>>
>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c29502f-388f-4e2a-b99f-8eb5591dab48n%40apereo.org?utm_medium=email&utm_source=footer>
>> .
>>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/84231018-b583-45ef-bdf1-87033fdb24d8n%40apereo.org.
![https://cdn.lafayette.edu/images/logos/docusign-100x100.png"](https://cdn.lafayette.edu/images/logos/docusign-100x100.png"){kind=link}