Access Policy for Shibolethozed services
28 views
Skip to first unread message
fjannin4
Jun 16, 2022, 11:46:53 PM6/16/22
to CAS Community
Hi all,
We use Shiboleth IDP to enable SAML and federation enabled
authentication over CAS.
I have to apply access policy of a given Shibboleth service using a LDAP
group, while all other Shibboleth services have no access policy.
Is there a way to do this ?
I have definied two services : one with access policy, the other
without, with two different regexp (serviceid) :
Regexp are tested as matching the given urls
Whatever evalauation order iI use, It seems the part of url is not taken
into account in CAS evaluation, and it is always the service with
generic regexp that match the rule, with no restriction so.
My URL to restricted service is like :
https://idp.mydomain.fr/idp/Authn/ExtCas?conversation=e1s1&entityId=https://restricted-service.fr/auth/saml2
My regexp to try to match this restricted service is :
^(http|https):\/\/(.*)idp\.mydomain\.fr\/.*restricted-service.*$
my regexp for all other IDP services :
^(http|https):\/\/(.*)idp\.mydomain\.fr\/.*$
I have missed something ? If any one has an idea to get something
similar to work or was facing the same case, thanks a lot for any clue
or hint !
Regards
François
We use Shiboleth IDP to enable SAML and federation enabled
authentication over CAS.
I have to apply access policy of a given Shibboleth service using a LDAP
group, while all other Shibboleth services have no access policy.
Is there a way to do this ?
I have definied two services : one with access policy, the other
without, with two different regexp (serviceid) :
Regexp are tested as matching the given urls
Whatever evalauation order iI use, It seems the part of url is not taken
into account in CAS evaluation, and it is always the service with
generic regexp that match the rule, with no restriction so.
My URL to restricted service is like :
https://idp.mydomain.fr/idp/Authn/ExtCas?conversation=e1s1&entityId=https://restricted-service.fr/auth/saml2
My regexp to try to match this restricted service is :
^(http|https):\/\/(.*)idp\.mydomain\.fr\/.*restricted-service.*$
my regexp for all other IDP services :
^(http|https):\/\/(.*)idp\.mydomain\.fr\/.*$
I have missed something ? If any one has an idea to get something
similar to work or was facing the same case, thanks a lot for any clue
or hint !
Regards
François
Ray Bon
Jun 17, 2022, 11:54:15 AM6/17/22
to cas-...@apereo.org
François,
Set 'evaluationOrder' for the services, more specific regex first. See https://apereo.github.io/cas/6.5.x/services/Service-Management.html
You can also create your service identified by the entityId (no regex required) https://apereo.github.io/cas/6.5.x/integration/Shibboleth.html#relying-party-entityid
Ray
On Wed, 2022-06-15 at 17:50 +0200, fjannin4 wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
--- Website:https://apereo.github.io/cas- Gitter Chatroom:https://gitter.im/apereo/cas- List Guidelines:https://goo.gl/1VRrw7- Contributions:https://goo.gl/mh7qDG---You received this message because you are subscribed to the Google Groups "CAS Community" group.To unsubscribe from this group and stop receiving emails from it, send an email tocas-user+u...@apereo.org.To view this discussion on the web visithttps://groups.google.com/a/apereo.org/d/msgid/cas-user/2bd9a4c6-4210-584d-9ef3-26914c353b79%40gmail.com.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day.
Reply all
Reply to author
Forward
0 new messages