We have a mod_auth_cas installation where the CAS server on the other
end is sending us XML attributes in their response. I don't have any
details on their CAS server version. What I do know is that we are
using the serviceValidate url for validation. The CAS server, in
question, does NOT have a samlValidate url option for us.
When a user authenticates to our application, we get a validation
response from their CAS server that looks like this:
[Thu Feb 22 14:41:23.833837 2018] [:debug] [pid 21153]
mod_auth_cas.c(1838): [client
10.1.88.60:39852] Validation response:
<cas:serviceResponse
xmlns:cas="
http://www.yale.edu/tp/cas"><cas:authenticationSuccess><cas:user>jdoe</cas:user><cn><![CDATA[---
- John Doe
]]></cn><campusstatus><![CDATA[---
- Staff
]]></campusstatus><sn><![CDATA[---
- Doe
]]></sn><departmentnumber><![CDATA[---
- Student Affairs
]]></departmentnumber><givenname><![CDATA[---
- John
]]></givenname></cas:authenticationSuccess></cas:serviceResponse>
As long as we use require valid-user, everything is fine, and users gain
access to the application.
My question, can mod_auth_cas work with these XML attributes
for authorization control, without having access to a samlValidate url
option? For example, we would like to instruct Apache to limit access
to those users who have "Staff" in the the "<campusstatus>" element.
Thanks!
Bryan