Kim, I left out one part. As Joachim noted in another response, the customized casServiceValidationSucccess.jsp file (on the cas server) is also needed to make it work, in addition to what I have below.
Erik Guss --------------------------------- Sent: Thursday, September 01, 2011 10:57 AM To: '[email protected]' Subject: RE: OCLC/EZProxy says I can send attributes in response to their GET /serviceValidate. Are they right? Kim, We are using it. Included are our relevant config snippets. Remember to look in your EZProxy messages file for the attributes being returned (with DEBUG on in user.txt). Erik Guss -------------------- cas/WEB-INF/deployerConfigContext.xml snippet <bean id="serviceRegistryDao" class="org.jasig.cas.services.InMemoryServiceRegistryDaoImpl"> <property name="registeredServices"> <list> <bean class="org.jasig.cas.services.RegisteredServiceImpl" > <property name="id" value="1"/> <property name="description" value="ALL"/> <property name="serviceId" value="*://*.lib.montana.edu/**"/> <property name="name" value="All"/> <property name="theme" value="default"/> <property name="allowedToProxy" value="true"/> <property name="enabled" value="true"/> <property name="ssoEnabled" value="true"/> <property name="anonymousAccess" value="false"/> <property name="allowedAttributes"> <list> <value>uid</value> <value>role</value> <value>netid</value> <value>email</value> <value>lfname</value> <value>alias</value> <value>banid</value> <value>locaff</value> <value>active</value> <value>getscirc</value> <value>getsill</value> <value>getsproxy</value> </list> </property> </bean> --------------------- EZProxy user.txt snippet ::CAS Debug LoginURL https://auth.lib.montana.edu/cas/login ServiceValidateURL https://auth.lib.montana.edu/cas/serviceValidate Group NULL Test -RE //*/cas:locaff (.*BZ.*); Group +MSU Test -RE //*/cas:active (N); Deny unaffiliated.html Test -RE //*/cas:getsproxy (N); Deny unaffiliated.html NoGroups; Deny unaffiliated.html /CAS --------------------------- EZProxy config.txt snippet # this is needed for CAS authn,authr via user.txt Group MSU -----Original Message----- From: Cary, Kim [mailto:[email protected]] Sent: Thursday, September 01, 2011 10:39 AM To: [email protected] Subject: [cas-user] OCLC/EZProxy says I can send attributes in response to their GET /serviceValidate. Are they right? Going a little nuts here. We have a working EZProxy integration with CAS. We're trying to do authorization based on attributes that are returned by CAS, but EZProxy is only sending us /serviceValidate ticket checks. The OCLC support folks are saying that we just don't know how to configure our CAS server to return those attributes. I'm saying they must have developed it against some customized/extended CAS server, because what they're sending us will NEVER result in an attribute return. Who is right? (or some other explanation) Is anyone using EZProxy with group authorization by CAS attributes? -- -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
