Access Strategy not working with SAML IDp. Gives 500 on blocked access.

[Scott Tester]

I've have a working CAS 5.3.3 system with multiple services (21 using cas protocol, 1 using saml2).

I am trying to get access strategy working with the SAML2 service.  When I log in with an authorised person, all is good.  When I attempt a login where someone is not allowed, I get the following:

org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.apereo.cas.web.flow.login.CreateTicketGrantingTicketAction@6e4f8922 in state 'createTicketGrantingTicket' of flow 'login' -- action execution attributes were 'map[[empty]]'
at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:62)
at org.springframework.webflow.action.EvaluateAction.doExecute(EvaluateAction.java:77)
at org.springframework.webflow.action.AbstractAction.execute(AbstractAction.java:188)
at org.springframework.webflow.execution.ActionExecutor.execute(ActionExecutor.java:51)
at org.springframework.webflow.engine.ActionState.doEnter(ActionState.java:101)
at org.springframework.webflow.engine.State.enter(State.java:194)

Notes:

1. I have access strategy working fine with one of the CAS protocol services.

2. The particular attribute I am using for access undergoes a MutantRegexAttributeFilter,  HOWEVER I have also tested it with a different attribute (uidNumber) which gives the same issue.

3. Relevant Service JSON is:

{
  @class: org.apereo.cas.support.saml.services.SamlRegisteredService
  ...
  attributeReleasePolicy:
  {
    @class: org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy
    attributeFilter:
    {
      @class: org.apereo.cas.services.support.RegisteredServiceMutantRegexAttributeFilter
      patterns:
      {
        @class: java.util.LinkedHashMap
        memberOf: ^cn=(.*),ou=samlservice,ou=ldapgroups,dc=example,dc=org$ -> $1
      }
      excludeUnmappedAttributes: false
      caseInsensitive: true
      completeMatch: false
      order: 0
    }
    principalAttributesRepository:
    {
      @class: org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository
      expiration: 2
      timeUnit: HOURS
    }
    consentPolicy:
    {
      @class: org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy
      enabled: true
    }
    authorizedToReleaseCredentialPassword: false
    authorizedToReleaseProxyGrantingTicket: false
    excludeDefaultAttributes: false
    authorizedToReleaseAuthenticationAttributes: true
    allowedAttributes:
    [
      java.util.ArrayList
      [
        uidNumber
        displayName
        cn
        memberOf
      ]
    ]
  }
  ...
  accessStrategy:
  {
    @class: org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy
    order: 0
    enabled: true
    ssoEnabled: true
    delegatedAuthenticationPolicy:
    {
      @class: org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy
    }
    requireAllAttributes: true
    requiredAttributes:
    {
      @class: java.util.LinkedHashMap
      memberOf:
      [
        java.util.LinkedHashSet
        [
          login
        ]
      ]
    }
    caseInsensitive: false
  }
  ...
}