Hi all,
I've got a SAML service that has login requirements that must be performed on the CAS/IdP side.
Basically, I want a list of users (matched by uid) to be allowed access to this specific service.
and went ahead configuring a service. The service config is below:
{
@class: org.apereo.cas.support.saml.services.SamlRegisteredService
name: Some Service
id: 1005
serviceId: https://example.com/shibboleth-sp
attributeReleasePolicy: {
@class: org.apereo.cas.services.ReturnMappedAttributeReleasePolicy
allowedAttributes: {
@class: java.util.TreeMap
uid: uid
mail: special-mail-name
}
}
accessStrategy : {
@class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy
enabled: true
ssoEnabled: true
requiredAttributes: {
@class: java.util.HashMap
uid: ["java.util.HashSet", ["^bob$", "^joe$", "^sue$"]]
}
}
proxyPolicy: {
@class: org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy
}
metadataLocation: /etc/cas/metadata/metadata.xml
metadataCriteriaPattern: https://example.com/shibboleth-sp
}
login, and it works. I am denied when I should be and allowed when I should be.
The problem is when I go to use the service properly. I go to the service, get redirected back to cas,
and the access strategy is completely ignored. I see the below:
DEBUG [org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy] - <Final collection of attributes allowed are: [{uid=mareid, mail=something}]>
DEBUG [org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy] - <Skipping access strategy policy, since no attributes rules are defined>
After doing some digging, it seems like the SAML services use the RegexRegisteredService instead of
the actual service when performing authentication. Now I am stuck, I have other SAML services that
use the RegexRegisteredService, but I want to be able to limit authorization only in this specific service.
Is there any other way to authorization at the CAS end for SAML services?
Thanks,
Mac Reid