Re: [cas-user] CAS Shibboleth, check user attribute before granting acess
Perfect, that was exactly what I was looking for. Not sure how I missed
this in the documentation.
On Thursday, January 27, 2022 at 9:00:49 AM UTC-6 waldbiec wrote:
> Pablo,
>
> We have a config similar to this for a particular service:
>
> {
> "@class": "org.apereo.cas.services.RegexRegisteredService",
> "serviceId": "https://service.example.net/login/saml2;,
> "id": 1000,
> "evaluationOrder": 1000,
> "name": "DocuSign",
> "description": "An example service.",
> "attributeReleasePolicy": {
> "@class":
> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
> "allowedAttributes": [
> "java.util.ArrayList",
> [
> "eduPersonEntitlement"
> ]
> ],
> "attributeFilter": {
> "@class":
> "org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter",
> "completeMatch": false,
> "excludeUnmappedAttributes": false,
> "order": 0,
> "patterns": {
> "@class": "java.util.HashMap",
> "eduPersonEntitlement": "^
> https://service.example.net/authorized$;
> }
> }
> },
> "accessStrategy": {
> "@class":
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
> "unauthorizedRedirectUrl": "
> https://cas.example.org/cas/html/403.html;,
> "requiredAttributes": {
> "@class": "java.util.HashMap",
> "eduPersonEntitlement": [
> "java.util.HashSet",
> [
> "https://service.example.net/authorized;
> ]
> ]
> }
> },
> "logo": "https://cdn.lafayette.edu/images/logos/docusign-100x100.png;,
> "properties": {
> "@class": "java.util.HashMap",
> "InformationURL": {
> "@class":
> "org.apereo.cas.services.DefaultRegisteredServiceProperty",
> "values": [
> "java.util.HashSet",
> [
> "https://help.example.org/service-example-net;
> ]
> ]
> }
> }
> }
>
>
> The idea is to just redirect to an "Unauthorized" page if the principal
> does not have the required entitlement for the service. There are other
> actions you can take as well, though you'd have to check the CAS docs to
> see what those are.
>
> Thanks,
> Carl Waldbieser
> ITS
> Lafayette College
>
> On Wed, Jan 26, 2022 at 10:35 PM Pablo Vidaurri
> wrote:
>
>> Currently using standalone shib. I have a configuration in flow/intercept
>> to check for a user attribute. If it is not a certain value, then we deny
>> him access to the app he trying to log into. Shib allows me to define the
>> entity-id in rely party to force this check, so I can decide which service
>> needs this attribute set.
>>
>> Now, trying to use CAS-Shib. How can I do the same?
>> 1) Check user attribute, if not value "X" then display message that he
>> needs to do something first.
>> 2) Be able to define which SAML service needs this attribute set.
>>
>> Thanks.
>> -psv
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+u...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c29502f-388f-4e2a-b99f-8eb5591dab48n%40apereo.org
>>
>>
>> .
>>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/84231018-b583-45ef-bdf1-87033fdb24d8n%40apereo.org.
Re: [cas-user] CAS Shibboleth, check user attribute before granting acess
Pablo,
We have a config similar to this for a particular service:
{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "https://service.example.net/login/saml2;,
"id": 1000,
"evaluationOrder": 1000,
"name": "DocuSign",
"description": "An example service.",
"attributeReleasePolicy": {
"@class":
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes": [
"java.util.ArrayList",
[
"eduPersonEntitlement"
]
],
"attributeFilter": {
"@class":
"org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter",
"completeMatch": false,
"excludeUnmappedAttributes": false,
"order": 0,
"patterns": {
"@class": "java.util.HashMap",
"eduPersonEntitlement": "^
https://service.example.net/authorized$;
}
}
},
"accessStrategy": {
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"unauthorizedRedirectUrl": "
https://cas.example.org/cas/html/403.html;,
"requiredAttributes": {
"@class": "java.util.HashMap",
"eduPersonEntitlement": [
"java.util.HashSet",
[
"https://service.example.net/authorized;
]
]
}
},
"logo": "https://cdn.lafayette.edu/images/logos/docusign-100x100.png;,
"properties": {
"@class": "java.util.HashMap",
"InformationURL": {
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values": [
"java.util.HashSet",
[
"https://help.example.org/service-example-net;
]
]
}
}
}
The idea is to just redirect to an "Unauthorized" page if the principal
does not have the required entitlement for the service. There are other
actions you can take as well, though you'd have to check the CAS docs to
see what those are.
Thanks,
Carl Waldbieser
ITS
Lafayette College
On Wed, Jan 26, 2022 at 10:35 PM Pablo Vidaurri
wrote:
> Currently using standalone shib. I have a configuration in flow/intercept
> to check for a user attribute. If it is not a certain value, then we deny
> him access to the app he trying to log into. Shib allows me to define the
> entity-id in rely party to force this check, so I can decide which service
> needs this attribute set.
>
> Now, trying to use CAS-Shib. How can I do the same?
> 1) Check user attribute, if not value "X" then display message that he
> needs to do something first.
> 2) Be able to define which SAML service needs this attribute set.
>
> Thanks.
> -psv
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c29502f-388f-4e2a-b99f-8eb5591dab48n%40apereo.org
>
> .
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbOoyoBvLJ8owSHFoCLX9ONnomVEDA08MKJyw5DCfEj2tg%40mail.gmail.com.
[cas-user] CAS Shibboleth, check user attribute before granting acess
Currently using standalone shib. I have a configuration in flow/intercept to check for a user attribute. If it is not a certain value, then we deny him access to the app he trying to log into. Shib allows me to define the entity-id in rely party to force this check, so I can decide which service needs this attribute set. Now, trying to use CAS-Shib. How can I do the same? 1) Check user attribute, if not value "X" then display message that he needs to do something first. 2) Be able to define which SAML service needs this attribute set. Thanks. -psv -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c29502f-388f-4e2a-b99f-8eb5591dab48n%40apereo.org.
