CAS 5.1.5 SAML Service Access Strategy

65 views

Skip to first unread message

Mac Reid

unread,

Jan 24, 2018, 2:31:32 PM1/24/18

to CAS Community

Hi all,

I've got a SAML service that has login requirements that must be performed on the CAS/IdP side.

Basically, I want a list of users (matched by uid) to be allowed access to this specific service.

I read the docs at https://apereo.github.io/cas/5.1.x/installation/Configuring-Service-Access-Strategy.html

and went ahead configuring a service. The service config is below:

{
  @class: org.apereo.cas.support.saml.services.SamlRegisteredService
  name: Some Service
  id: 1005
  serviceId: https://example.com/shibboleth-sp
  attributeReleasePolicy: {
    @class: org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
    allowedAttributes: {
      @class: java.util.TreeMap
      uid: uid
      mail: special-mail-name
    }
  }
  accessStrategy : {
    @class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy
    enabled: true
    ssoEnabled: true
    requiredAttributes: {
      @class: java.util.HashMap
      uid: ["java.util.HashSet", ["^bob$", "^joe$", "^sue$"]]
    }
  }
  proxyPolicy: {
    @class: org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy
  }
  metadataLocation: /etc/cas/metadata/metadata.xml
  metadataCriteriaPattern: https://example.com/shibboleth-sp
}

To test, I go to https://my.cas.local/cas/login?service=https://example.com/shibboleth-sp

The problem is when I go to use the service properly. I go to the service, get redirected back to cas,

and the access strategy is completely ignored. I see the below:

DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Final collection of attributes allowed are: [{uid=mareid, mail=something}]>
DEBUG [org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy] - <Skipping access strategy policy, since no attributes rules are defined>

After doing some digging, it seems like the SAML services use the RegexRegisteredService instead of

the actual service when performing authentication. Now I am stuck, I have other SAML services that

use the RegexRegisteredService, but I want to be able to limit authorization only in this specific service.

Is there any other way to authorization at the CAS end for SAML services?

Thanks,

Mac Reid

Reply all

Reply to author

Forward

0 new messages