Re: [cas-user] Access strategy not working with SAML based service

[Nordy Di Marzio]

Thank you Carl for your reply,

i am wondering if  it s not related to SAML because i have the same config
that works fine for CAS protocol based SPs ...but for SAML bases ones
nothing,

I would be very thankful if someone can help me.

Thanks.

Le jeu. 23 sept. 2021 à 16:35, Carl Waldbieser  a
écrit :

> We are using CAS 6.x.  I have a SAML entry in my allow list that looks
> similar to this:
>
> {
> "@class": "org.apereo.cas.services.RegexRegisteredService",
> "serviceId": "Entity ID goes here ...",
> "id": 1000,
> "evaluationOrder": 1000,
> "name": "SAML Provider",
> "description": "Blah blah blah ...",
> "attributeReleasePolicy": {
> "@class":
> "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
> "allowedAttributes": [
> "java.util.ArrayList",
> [
> "eduPersonEntitlement"
> ]
> ],
> "attributeFilter": {
> "@class":
> "org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter",
> "completeMatch": false,
> "excludeUnmappedAttributes": false,
> "order": 0,
> "patterns": {
> "@class": "java.util.HashMap",
> "eduPersonEntitlement": "^
> https://example.lafayette.edu/authorized$;
> }
> }
> },
> "accessStrategy": {
> "@class":
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
> "unauthorizedRedirectUrl": "
> https://example.lafayette.edu/pages/403.html;,
> "requiredAttributes": {
> "@class": "java.util.HashMap",
> "eduPersonEntitlement": [
> "java.util.HashSet",
> [
> "https://example.lafayette.edu/authorized;
> ]
> ]
> }
> },
> "logo": "https://cdn.lafayette.edu/images/logos/example-100x100.png;,
> "properties": {
> "@class": "java.util.HashMap",
> "InformationURL": {
> "@class":
> "org.apereo.cas.services.DefaultRegisteredServiceProperty",
> "values": [
> "java.util.HashSet",
> [
> "https://help.lafayette.edu/example;
> ]
> ]
> }
> }
> }
>
>
> Hope that helps.
>
> Thanks,
> Carl Waldbieser
> ITS
> Lafayette College
>
> On Thu, Sep 23, 2021 at 9:44 AM Nordy Di Marzio 
> wrote:
>
>> hello cas community,
>>
>>
>>
>> wish you are doing great,
>>
>>
>>
>> i am having little issues having to work access strategy with SAML  based
>> service
>>
>>
>>
>> more precisely, i am trying to implement access restrictions based on
>>  group membership but for now all users are able to logon on the app
>> regardless of their group membership, and no error is being logged
>>
>>
>>
>> so i am wondring if there  is somthing missing in my config, could you
>> please help me find out what else should i configure ?
>>
>>
>>
>>
>>
>> this is the service file that i am using
>>
>> {
>>
>>   "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
>>
>>   "serviceId": "https://foo.bar/;,
>>
>>   "name": "foo",
>>
>>   "id": 10013986,
>>
>>   "evaluationOrder": 3,
>>
>>   "metadataLocation": "/etc/cas/saml/foo.xml",
>>
>>   "attributeReleasePolicy": {
>>
>> "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
>>
>>   },
>>
>>   "accessStrategy" : {
>>
>> "@class" :
>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
>>
>> "enabled" : true,
>>
>> "requireAllAttributes" : false,
>>
>> "ssoEnabled" : true,
>>
>> "requiredAttributes" : {
>>
>>   "@class" : "java.util.HashMap",
>>
>>   "memberOf" : [ "java.util.HashSet", [
>> "CN=GRP,CN=Users,DC=corp,DC=foo,DC=bar" ] ]
>>
>>  }
>>
>> }
>>
>> }
>>
>>
>>
>> the cas version i am using is 5.1
>>
>>
>>
>> thank for your help,
>>
>> Nordy
>>
>> --
>> - Website: https://apereo.github.io/cas
>> - Gitter Chatroom: https://gitter.im/apereo/cas
>> - List Guidelines: https://goo.gl/1VRrw7
>> - Contributions: https://goo.gl/mh7qDG
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "CAS Community" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to cas-user+unsubscr...@apereo.org.
>> To view this discussion on the web visit
>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAA8Tp34kFCWYLEEB4nn8%3DcJki4WCkp-x0V208P%2BfRwdwyqKrXw%40mail.gmail.com
>> 
>> .
>>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS 

Re: [cas-user] Access strategy not working with SAML based service

[Carl Waldbieser]

We are using CAS 6.x.  I have a SAML entry in my allow list that looks
similar to this:

{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "Entity ID goes here ...",
"id": 1000,
"evaluationOrder": 1000,
"name": "SAML Provider",
"description": "Blah blah blah ...",
"attributeReleasePolicy": {
"@class":
"org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
"allowedAttributes": [
"java.util.ArrayList",
[
"eduPersonEntitlement"
]
],
"attributeFilter": {
"@class":
"org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter",
"completeMatch": false,
"excludeUnmappedAttributes": false,
"order": 0,
"patterns": {
"@class": "java.util.HashMap",
"eduPersonEntitlement": "^
https://example.lafayette.edu/authorized$;
}
}
},
"accessStrategy": {
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"unauthorizedRedirectUrl": "
https://example.lafayette.edu/pages/403.html;,
"requiredAttributes": {
"@class": "java.util.HashMap",
"eduPersonEntitlement": [
"java.util.HashSet",
[
"https://example.lafayette.edu/authorized;
]
]
}
},
"logo": "https://cdn.lafayette.edu/images/logos/example-100x100.png;,
"properties": {
"@class": "java.util.HashMap",
"InformationURL": {
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceProperty",
"values": [
"java.util.HashSet",
[
"https://help.lafayette.edu/example;
]
]
}
}
}


Hope that helps.

Thanks,
Carl Waldbieser
ITS
Lafayette College

On Thu, Sep 23, 2021 at 9:44 AM Nordy Di Marzio 
wrote:

> hello cas community,
>
>
>
> wish you are doing great,
>
>
>
> i am having little issues having to work access strategy with SAML  based
> service
>
>
>
> more precisely, i am trying to implement access restrictions based on
>  group membership but for now all users are able to logon on the app
> regardless of their group membership, and no error is being logged
>
>
>
> so i am wondring if there  is somthing missing in my config, could you
> please help me find out what else should i configure ?
>
>
>
>
>
> this is the service file that i am using
>
> {
>
>   "@class": "org.apereo.cas.support.saml.services.SamlRegisteredService",
>
>   "serviceId": "https://foo.bar/;,
>
>   "name": "foo",
>
>   "id": 10013986,
>
>   "evaluationOrder": 3,
>
>   "metadataLocation": "/etc/cas/saml/foo.xml",
>
>   "attributeReleasePolicy": {
>
> "@class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
>
>   },
>
>   "accessStrategy" : {
>
> "@class" :
> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
>
> "enabled" : true,
>
> "requireAllAttributes" : false,
>
> "ssoEnabled" : true,
>
> "requiredAttributes" : {
>
>   "@class" : "java.util.HashMap",
>
>   "memberOf" : [ "java.util.HashSet", [
> "CN=GRP,CN=Users,DC=corp,DC=foo,DC=bar" ] ]
>
>  }
>
> }
>
> }
>
>
>
> the cas version i am using is 5.1
>
>
>
> thank for your help,
>
> Nordy
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAA8Tp34kFCWYLEEB4nn8%3DcJki4WCkp-x0V208P%2BfRwdwyqKrXw%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CALt4NbP%3DS0iM1OYSRyeC9bhZ5RNj5QmgYDntDhpKR9i%3Da0e83g%40mail.gmail.com.

Re: [cas-user] Access Strategy not working???

[Tom Poage]

I was going to ask about this: Apereo/Unicon, do you have a policy on what/when 
“breaking” changes are allowed between different versions?

E.g. https://semver.org/

In addition to the registry location property change, I think we were also bit 
by a change from JSON to HJSON somewhere back there in a point release.

Thanks!
Tom.

From: <cas-user@apereo.org> on behalf of Travis Schmidt 
<travis.schm...@gmail.com>
Reply-To: "cas-user@apereo.org" <cas-user@apereo.org>
Date: Friday, February 23, 2018 at 8:11 AM
To: "cas-user@apereo.org" <cas-user@apereo.org>
Subject: Re: [cas-user] Access Strategy not working???

The property was changed in 5.2 to cas.serviceRegistry.json.location.  5.2 
currently ignores unknown properties and falls back to default on this.  I got 
bit by this on a deployment two weeks ago.  Also the property names for webflow 
and tgc encryption were changed, so check those as well.



On Fri, Feb 23, 2018 at 7:35 AM Tim Tyler 
<ty...@beloit.edu<mailto:ty...@beloit.edu>> wrote:
CAS users,
  Ok, I am on CAS 5.2 on Redhat 7.

I have created a number of services stored in json files in /etc/cas/services.  
 But I don’t think any of them are getting read by CAS.   The CAS-Management 
creates them and puts them there.  But I am not sure CAS is reading them there. 
 My goal was to create a service for one of our Moodle development servers 
where only staff could access it, not students.  I simply added an ldap 
attribute which contains the value of Staff.  CAS-Management seems to create it 
properly.   But CAS ignores it.

Instead I get the following results from the CAS Dashboard from the “Attribute 
Release” interface (see picture below):  The result is https|imap which I never 
created a service for.  I had to hunt for where this was coming from and found 
it in 
/usr/local/cas/target/cas/WEB-INF/classes/services/HTTPSandIMAPS-1001.json

I tried removing it but it restored itself when I restarted the server.  I 
don’t understand what is going on here.  I have the following setting in cas:
cas.serviceRegistry.config.location: file:/etc/cas/services

So why is CAS finding json services from 
/usr/local/cas/target/cas/WEB-INF/classes/services instead of /etc/cas/services 
 {or at least the dashboard anyways}?   Shouldn’t the 
“cas.serviceRegistry.config.location: entry be pointing in to 
/etc/cas/services”???  I think I got this from the documentation.

In case this helps, this is in the DevMoodle service registration json file:
@class: org.apereo.cas.services.RegexRegisteredService
  serviceId: https://devmoodle.beloit.edu.*
  name: Dev Moodle
  id: 1519398393836
…..and much more


[cid:image001.png@01D3AC87.FB4AC4A0]


Tim Tyler
Network Engineer
Beloit College

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/03d58f91ff6f2a6b1fc06d57f6946e3b%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/03d58f91ff6f2a6b1fc06d57f6946e3b%40mail.gmail.com?utm_medium=email_source=footer>.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org<mailto:cas-user+unsubscr...@apereo.org>.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbB3-52_Q1uxZWZto5YYw6fj4PcvocW0DXh7nfdU2-1bQ%40mail.gmail.com<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbB3-52_Q1uxZWZto5YYw6fj4PcvocW0DXh7nfdU2-1bQ%40mail.gmail.com?utm_medium=email_source=footer>.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/71F5C1A6-3BF5-46FC-B353-347D260E4679%40ucdavis.edu.

RE: [cas-user] Access Strategy not working???

[Tim Tyler]

Travis,

Thanks! I think that worked.  That is what I get for reading older
documentation.  I really wish bad lines would not be ignored.  Makes me
wonder what else I have entered might not be doing anything.

Tim



*From:* cas-user@apereo.org [mailto:cas-user@apereo.org] *On Behalf Of *Travis
Schmidt
*Sent:* Friday, February 23, 2018 10:11 AM
*To:* cas-user@apereo.org
*Subject:* Re: [cas-user] Access Strategy not working???



The property was changed in 5.2 to cas.serviceRegistry.json.location.  5.2
currently ignores unknown properties and falls back to default on this.  I
got bit by this on a deployment two weeks ago.  Also the property names for
webflow and tgc encryption were changed, so check those as well.







On Fri, Feb 23, 2018 at 7:35 AM Tim Tyler <ty...@beloit.edu> wrote:

CAS users,

  Ok, I am on CAS 5.2 on Redhat 7.



I have created a number of services stored in json files in
/etc/cas/services.   But I don’t think any of them are getting read by CAS.
  The CAS-Management creates them and puts them there.  But I am not sure
CAS is reading them there.  My goal was to create a service for one of our
Moodle development servers where only staff could access it, not students.
I simply added an ldap attribute which contains the value of Staff.
CAS-Management seems to create it properly.   But CAS ignores it.



Instead I get the following results from the CAS Dashboard from the
“Attribute Release” interface (see picture below):  The result is
https|imap which I never created a service for.  I had to hunt for where
this was coming from and found it in
/usr/local/cas/target/cas/WEB-INF/classes/services/HTTPSandIMAPS-1001.json



I tried removing it but it restored itself when I restarted the server.  I
don’t understand what is going on here.  I have the following setting in
cas:

cas.serviceRegistry.config.location: file:/etc/cas/services



So why is CAS finding json services from
/usr/local/cas/target/cas/WEB-INF/classes/services instead of
/etc/cas/services  {or at least the dashboard anyways}?   Shouldn’t the
“cas.serviceRegistry.config.location: entry be pointing in to
/etc/cas/services”???  I think I got this from the documentation.



In case this helps, this is in the DevMoodle service registration json file:

@class: org.apereo.cas.services.RegexRegisteredService

  serviceId: https://devmoodle.beloit.edu.*

  name: Dev Moodle

  id: 1519398393836

…..and much more









Tim Tyler

Network Engineer

Beloit College



-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/03d58f91ff6f2a6b1fc06d57f6946e3b%40mail.gmail.com
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/03d58f91ff6f2a6b1fc06d57f6946e3b%40mail.gmail.com?utm_medium=email_source=footer>
.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups
"CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbB3-52_Q1uxZWZto5YYw6fj4PcvocW0DXh7nfdU2-1bQ%40mail.gmail.com
<https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbB3-52_Q1uxZWZto5YYw6fj4PcvocW0DXh7nfdU2-1bQ%40mail.gmail.com?utm_medium=email_source=footer>
.

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c83880ddc64fe203e3f5aa644392a06e%40mail.gmail.com.

Re: [cas-user] Access Strategy not working???

[Travis Schmidt]

The property was changed in 5.2 to cas.serviceRegistry.json.location.  5.2
currently ignores unknown properties and falls back to default on this.  I
got bit by this on a deployment two weeks ago.  Also the property names for
webflow and tgc encryption were changed, so check those as well.



On Fri, Feb 23, 2018 at 7:35 AM Tim Tyler  wrote:

> CAS users,
>
>   Ok, I am on CAS 5.2 on Redhat 7.
>
>
>
> I have created a number of services stored in json files in
> /etc/cas/services.   But I don’t think any of them are getting read by CAS.
>   The CAS-Management creates them and puts them there.  But I am not sure
> CAS is reading them there.  My goal was to create a service for one of our
> Moodle development servers where only staff could access it, not students.
> I simply added an ldap attribute which contains the value of Staff.
> CAS-Management seems to create it properly.   But CAS ignores it.
>
>
>
> Instead I get the following results from the CAS Dashboard from the
> “Attribute Release” interface (see picture below):  The result is
> https|imap which I never created a service for.  I had to hunt for where
> this was coming from and found it in
> /usr/local/cas/target/cas/WEB-INF/classes/services/HTTPSandIMAPS-1001.json
>
>
>
> I tried removing it but it restored itself when I restarted the server.  I
> don’t understand what is going on here.  I have the following setting in
> cas:
>
> cas.serviceRegistry.config.location: file:/etc/cas/services
>
>
>
> So why is CAS finding json services from
> /usr/local/cas/target/cas/WEB-INF/classes/services instead of
> /etc/cas/services  {or at least the dashboard anyways}?   Shouldn’t the
> “cas.serviceRegistry.config.location: entry be pointing in to
> /etc/cas/services”???  I think I got this from the documentation.
>
>
>
> In case this helps, this is in the DevMoodle service registration json
> file:
>
> @class: org.apereo.cas.services.RegexRegisteredService
>
>   serviceId: https://devmoodle.beloit.edu.*
>
>   name: Dev Moodle
>
>   id: 1519398393836
>
> …..and much more
>
>
>
>
>
>
>
>
>
> Tim Tyler
>
> Network Engineer
>
> Beloit College
>
>
>
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups
> "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to cas-user+unsubscr...@apereo.org.
> To view this discussion on the web visit
> https://groups.google.com/a/apereo.org/d/msgid/cas-user/03d58f91ff6f2a6b1fc06d57f6946e3b%40mail.gmail.com
> 
> .
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAC_RtEbB3-52_Q1uxZWZto5YYw6fj4PcvocW0DXh7nfdU2-1bQ%40mail.gmail.com.