I suppose there are two things to review:
1. The case you are describing actually works OK for me. If I have a
SAML SP and I try to prevent it's a CAS SP, I correctly get
"application unauthorized". So either something is missing in your
setup, or I am overlooking something. Of course "it works for me"
means nothing. You should likely start with a test case that tries to
reproduce this, with puppeteer specially so we can see where the
problem is. Either way, the @class attribute indicates the allowed
protocol. We shouldn't need to make any other adjustments.
2. For the more general case, I have often thought about going down
the same route as you suggest, to break up CAS SPs into their own
entity and make the regex service some sort of parent abstract entity.
Initial research shows that this is tons of work [never to be
seriously funded by anyone], with potential to break the world with
minor benefits which do not make this worthwhile. If this were to be
done, v7 would be a good target but I would need to be 300% sure this
is necessary, and cannot be fixed/improved in any other "easy" way,
and that it should start with a concrete use case or problem that can
be produced in #1.
> To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-dev/CAP279LwwkU8Y9%2BJ_JbJQMAt%2Be5VoPnXxUkH%2B_e1rzs%2BbEj8Adw%40mail.gmail.com.