Hi all, I've got a SAML service that has login requirements that must be performed on the CAS/IdP side. Basically, I want a list of users (matched by uid) to be allowed access to this specific service.
I read the docs at https://apereo.github.io/cas/5.1.x/installation/Configuring-Service-Access-Strategy.html and went ahead configuring a service. The service config is below: { @class: org.apereo.cas.support.saml.services.SamlRegisteredService name: Some Service id: 1005 serviceId: https://example.com/shibboleth-sp attributeReleasePolicy: { @class: org.apereo.cas.services.ReturnMappedAttributeReleasePolicy allowedAttributes: { @class: java.util.TreeMap uid: uid mail: special-mail-name } } accessStrategy : { @class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy enabled: true ssoEnabled: true requiredAttributes: { @class: java.util.HashMap uid: ["java.util.HashSet", ["^bob$", "^joe$", "^sue$"]] } } proxyPolicy: { @class: org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy } metadataLocation: /etc/cas/metadata/metadata.xml metadataCriteriaPattern: https://example.com/shibboleth-sp } To test, I go to https://my.cas.local/cas/login?service=https://example.com/shibboleth-sp login, and it works. I am denied when I should be and allowed when I should be. The problem is when I go to use the service properly. I go to the service, get redirected back to cas, and the access strategy is completely ignored. I see the below: DEBUG [org.apereo.cas.services. AbstractRegisteredServiceAttributeReleasePolicy] - <Final collection of attributes allowed are: [{uid=mareid, mail=something}]> DEBUG [org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy] - < Skipping access strategy policy, since no attributes rules are defined> After doing some digging, it seems like the SAML services use the RegexRegisteredService instead of the actual service when performing authentication. Now I am stuck, I have other SAML services that use the RegexRegisteredService, but I want to be able to limit authorization only in this specific service. Is there any other way to authorization at the CAS end for SAML services? Thanks, Mac Reid -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/198757d8-fb34-42b8-aeef-52cb52988d1f%40apereo.org.