CAS service accessStrategy and external SAML IdP?
37 views
Skip to first unread message
Carl Waldbieser
Nov 4, 2020, 3:29:35 PM11/4/20
to cas-user
Hi,
I'm running the Internet2 Shibboleth IdP and delegating authentication to CAS v6.2 for authentication. I know CAS can do its own SAML negotiation, but this is configuration my institution is currently happy with.
We are using the Unicon shibcas authenticator 3 (https://github.com/Unicon/shib-cas-authn3) to make this work.
When the IdP passes authentication to CAS, I can have CAS service entries set up that can be used for displaying service info on our CAS login page just like a service using the CAS protocol. However, the "accessStrategy" configuration doesn't seem to be working for this service. Is this configuration not supported? Authentication is successful despite the fact that the principal doesn't have the required attributes.
Here is my example service configuration:
Any help would be appreciated!{"@class": "org.apereo.cas.services.RegexRegisteredService","serviceId": "https://account-d.docusign.com/organizations/7b69e84c-b873-4923-85b7-b9930c08d975/saml2","id": 6860,"attributeReleasePolicy": {"@class": "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy","allowedAttributes": ["java.util.ArrayList",["eduPersonEntitlement"]],"attributeFilter": {"@class": "org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter","completeMatch": false,"excludeUnmappedAttributes": false,"order": 0,"patterns": {"@class": "java.util.HashMap","eduPersonEntitlement": "^https://docusign-sandbox.lafayette.edu/$"}}},"accessStrategy": {"@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy","unauthorizedRedirectUrl": "https://cas.stage.lafayette.edu/cas/html/403.html","requiredAttributes": {"@class": "java.util.HashMap","eduPersonEntitlement": ["java.util.HashSet",[]]}},"evaluationOrder": 6860,"name": "DocuSign Sandbox","description": "DocuSign is an electronic signature and document routing service that securely transmits documents for signing.","properties": {"@class": "java.util.HashMap","InformationURL": {"@class": "org.apereo.cas.services.DefaultRegisteredServiceProperty","values": ["java.util.HashSet",[]]}}}
Thanks,
Carl Waldbieser
ITS
Lafayette College
Ray Bon
Nov 5, 2020, 11:45:52 AM11/5/20
to cas-...@apereo.org
Carl,
Try these loggers to get details on the attributes and decision cas is making:
<!-- DEBUG Found principal attributes [...] for [username]
Attribute policy [???] allows release of [...] for [username]
Final collection of attributes allowed are: [...] -->
<AsyncLogger name="org.apereo.cas.services.AbstractRegisteredServiceAttributeReleasePolicy" level="warn"/>
<!-- DEBUG Skipping access strategy policy - when no attributes rules are defined
These required attributes [...] are examined against [...] before service can proceed - when attrubutes are defined -->
<AsyncLogger name="org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy" level="warn"/>
<!-- DEBUG CAS will not authorize the release of ... given the service is denied access to all attributes -->
<AsyncLogger name="org.apereo.cas.services.DenyAllAttributeReleasePolicy" level="warn"/>
You may need a more general logger, but try those first.
Ray
On Wed, 2020-11-04 at 15:29 -0500, Carl Waldbieser wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
Reply all
Reply to author
Forward
0 new messages