Re: [cas-user] Access strategy not working with SAML based service
Thank you Carl for your reply,
i am wondering if it s not related to SAML because i have the same config
that works fine for CAS protocol based SPs ...but for SAML bases ones
nothing,
I would be very thankful if someone can help me.
Thanks.
Le jeu. 23 sept. 2021 à 16:35, Carl Waldbieser a
écrit :
> We are using CAS 6.x. I have a SAML entry in my allow list that looks
> similar to this:
>
> {
> "@class": "org.apereo.cas.services.RegexRegisteredService",
> "serviceId": "Entity ID goes here ...",
> "id": 1000,
> "evaluationOrder": 1000,
> "name": "SAML Provider",
> "description": "Blah blah blah ...",
> "attributeReleasePolicy": {
> "@class":
> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
> "allowedAttributes": [
> "java.util.ArrayList",
> [
> "eduPersonEntitlement"
> ]
> ],
> "attributeFilter": {
> "@class":
> "org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter",
> "completeMatch": false,
> "excludeUnmappedAttributes": false,
> "order": 0,
> "patterns": {
> "@class": "java.util.HashMap",
> "eduPersonEntitlement": "^
> https://example.lafayette.edu/authorized$;
> }
> }
> },
> "accessStrategy": {
> "@class":
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
> "unauthorizedRedirectUrl": "
> https://example.lafayette.edu/pages/403.html;,
> "requiredAttributes": {
> "@class": "java.util.HashMap",
> "eduPersonEntitlement": [
> "java.util.HashSet",
> [
> "https://example.lafayette.edu/authorized;
> ]
> ]
> }
> },
> "logo": "https://cdn.lafayette.edu/images/logos/example-100x100.png;,
> "properties": {
> "@class": "java.util.HashMap",
> "InformationURL": {
> "@class":
> "org.apereo.cas.services.DefaultRegisteredServiceProperty",
> "values": [
> "java.util.HashSet",
> [
> "https://help.lafayette.edu/example;
> ]
> ]
> }
> }
> }
>
>
> Hope that helps.
>
> Thanks,
> Carl Waldbieser
> ITS
> Lafayette College
>
> On Thu, Sep 23, 2021 at 9:44 AM Nordy Di Marzio
> wrote:
>
>> hello cas community,
>>
>>
>>
>> wish you are doing great,
>>
>>
>>
>> i am having little issues having to work access strategy with SAML based
>> service
>>
>>
>>
>> more precisely, i am trying to implement access restrictions based on
>> group membership but for now all users are able to logon on the app
>> regardless of their group membership, and no error is being logged
>>
>>
>>
>> so i am wondring if there is somthing missing in my config, could you
>> please help me find out what else should i configure ?
>>
>>
>>
>>
>>
>> this is the service file that i am using
>>
>> {
>>
>> "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
>>
>> "serviceId": "https://foo.bar/;,
>>
>> "name": "foo",
>>
>> "id": 10013986,
>>
>> "evaluationOrder": 3,
>>
>> "metadataLocation": "/etc/cas/saml/foo.xml",
>>
>> "attributeReleasePolicy": {
>>
>> "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
>>
>> },
>>
>> "accessStrategy" : {
>>
>> "@class" :
>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
>>
>> "enabled" : true,
>>
>> "requireAllAttributes" : false,
>>
>> "ssoEnabled" : true,
>>
>> "requiredAttributes" : {
>>
>> "@class" : "java.util.HashMap",
>>
>> "memberOf" : [ "java.util.HashSet", [
>> "CN=GRP,CN=Users,DC=corp,DC=foo,DC=bar" ] ]
>>
>> }
>>
>> }
>>
>> }
>>
>>
>>
>> the cas version i am using is 5.1
>>
>>
>>
>> thank for your help,
>>
>> Nordy
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAA8Tp34kFCWYLEEB4nn8%3DcJki4WCkp-x0V208P%2BfRwdwyqKrXw%40mail.gmail.com
>>
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS
Re: [cas-user] Access strategy not working with SAML based service
We are using CAS 6.x. I have a SAML entry in my allow list that looks
similar to this:
{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "Entity ID goes here ...",
"id": 1000,
"evaluationOrder": 1000,
"name": "SAML Provider",
"description": "Blah blah blah ...",
"attributeReleasePolicy": {
"@class":
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes": [
"java.util.ArrayList",
[
"eduPersonEntitlement"
]
],
"attributeFilter": {
"@class":
"org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter",
"completeMatch": false,
"excludeUnmappedAttributes": false,
"order": 0,
"patterns": {
"@class": "java.util.HashMap",
"eduPersonEntitlement": "^
https://example.lafayette.edu/authorized$;
}
}
},
"accessStrategy": {
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"unauthorizedRedirectUrl": "
https://example.lafayette.edu/pages/403.html;,
"requiredAttributes": {
"@class": "java.util.HashMap",
"eduPersonEntitlement": [
"java.util.HashSet",
[
"https://example.lafayette.edu/authorized;
]
]
}
},
"logo": "https://cdn.lafayette.edu/images/logos/example-100x100.png;,
"properties": {
"@class": "java.util.HashMap",
"InformationURL": {
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values": [
"java.util.HashSet",
[
"https://help.lafayette.edu/example;
]
]
}
}
}
Hope that helps.
Thanks,
Carl Waldbieser
ITS
Lafayette College
On Thu, Sep 23, 2021 at 9:44 AM Nordy Di Marzio
wrote:
> hello cas community,
>
>
>
> wish you are doing great,
>
>
>
> i am having little issues having to work access strategy with SAML based
> service
>
>
>
> more precisely, i am trying to implement access restrictions based on
> group membership but for now all users are able to logon on the app
> regardless of their group membership, and no error is being logged
>
>
>
> so i am wondring if there is somthing missing in my config, could you
> please help me find out what else should i configure ?
>
>
>
>
>
> this is the service file that i am using
>
> {
>
> "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
>
> "serviceId": "https://foo.bar/;,
>
> "name": "foo",
>
> "id": 10013986,
>
> "evaluationOrder": 3,
>
> "metadataLocation": "/etc/cas/saml/foo.xml",
>
> "attributeReleasePolicy": {
>
> "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
>
> },
>
> "accessStrategy" : {
>
> "@class" :
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
>
> "enabled" : true,
>
> "requireAllAttributes" : false,
>
> "ssoEnabled" : true,
>
> "requiredAttributes" : {
>
> "@class" : "java.util.HashMap",
>
> "memberOf" : [ "java.util.HashSet", [
> "CN=GRP,CN=Users,DC=corp,DC=foo,DC=bar" ] ]
>
> }
>
> }
>
> }
>
>
>
> the cas version i am using is 5.1
>
>
>
> thank for your help,
>
> Nordy
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAA8Tp34kFCWYLEEB4nn8%3DcJki4WCkp-x0V208P%2BfRwdwyqKrXw%40mail.gmail.com
>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbP%3DS0iM1OYSRyeC9bhZ5RNj5QmgYDntDhpKR9i%3Da0e83g%40mail.gmail.com.
[cas-user] Access strategy not working with SAML based service
hello cas community,
wish you are doing great,
i am having little issues having to work access strategy with SAML based
service
more precisely, i am trying to implement access restrictions based on
group membership but for now all users are able to logon on the app
regardless of their group membership, and no error is being logged
so i am wondring if there is somthing missing in my config, could you
please help me find out what else should i configure ?
this is the service file that i am using
{
"@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
"serviceId": "https://foo.bar/;,
"name": "foo",
"id": 10013986,
"evaluationOrder": 3,
"metadataLocation": "/etc/cas/saml/foo.xml",
"attributeReleasePolicy": {
"@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"accessStrategy" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled" : true,
"requireAllAttributes" : false,
"ssoEnabled" : true,
"requiredAttributes" : {
"@class" : "java.util.HashMap",
"memberOf" : [ "java.util.HashSet", [
"CN=GRP,CN=Users,DC=corp,DC=foo,DC=bar" ] ]
}
}
}
the cas version i am using is 5.1
thank for your help,
Nordy
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAA8Tp34kFCWYLEEB4nn8%3DcJki4WCkp-x0V208P%2BfRwdwyqKrXw%40mail.gmail.com.
