Rejecting based on attributes
29 views
Skip to first unread message
Marcus Watkins
Sep 15, 2017, 4:17:54 PM9/15/17
to CAS Community
Hi,
We have two authentication methods -- LDAP and a third party SSO tool implemented as an AbstractNonInteractiveCredentialsAction.
Our LDAP group config is nonstandard, so I've also implemented an attribute lookup by overriding the attributeRepositories bean with my own PersonAttributeDao to enumerate groups. This method has the added benefit of also triggering a lookup for the SSO users.
So far so good, with both methods everyone comes across properly with attributes.
Now, though, I have to somehow reject users if they don't have specific attribute values. I've been looking for the proper hook, and I thought it was going to be authenticationPolicyFactory, but its isSatisfiedBy never seems to be called. Before I started plugging breakpoints everywhere I thought I'd ask:
Any suggestions on the cleanest way to hook in there to reject a user based on attribute values? Or have I done this all wrong?
Thanks!
-Marcus Watkins
We have two authentication methods -- LDAP and a third party SSO tool implemented as an AbstractNonInteractiveCredentialsAction.
Our LDAP group config is nonstandard, so I've also implemented an attribute lookup by overriding the attributeRepositories bean with my own PersonAttributeDao to enumerate groups. This method has the added benefit of also triggering a lookup for the SSO users.
So far so good, with both methods everyone comes across properly with attributes.
Now, though, I have to somehow reject users if they don't have specific attribute values. I've been looking for the proper hook, and I thought it was going to be authenticationPolicyFactory, but its isSatisfiedBy never seems to be called. Before I started plugging breakpoints everywhere I thought I'd ask:
Any suggestions on the cleanest way to hook in there to reject a user based on attribute values? Or have I done this all wrong?
Thanks!
-Marcus Watkins
Andy Ng
Sep 16, 2017, 6:10:11 AM9/16/17
to CAS Community
Hi Marcus,
If you are using 5.0.x or later , there should be a requiredAttributes field mentioned in the doc "https://apereo.github.io/cas/5.1.x/installation/Configuring-Service-Access-Strategy.html".
You will need to group all your users that need the restriction to the same service, then do something like below:
MyService-101.json
Note: those restriction are regex supported, that's why I use .+.
Then route the user to the service like this:
https://sso.cas.mycas?service=https%3A%2F%2Fthis-is-your-site.example.com
When user attempt to login, the restriction of attribute should triggered.
Is this the kind of behavior you want to implement?
-Andy
If you are using 5.0.x or later , there should be a requiredAttributes field mentioned in the doc "https://apereo.github.io/cas/5.1.x/installation/Configuring-Service-Access-Strategy.html".
You will need to group all your users that need the restriction to the same service, then do something like below:
MyService-101.json
{ "@class" : "org.apereo.cas.services.RegexRegisteredService", "serviceId" : "https://this-is-your-site.example.com", "name" : "My Service", "id" : 101, "accessStrategy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", "enabled" : true, "requireAllAttributes" : false, "ssoEnabled" : true, "requiredAttributes" : {
"@class" : "java.util.HashMap", "requiredAttributeHere1" : [ "java.util.HashSet", [ ".+" ] ],
"requiredAttribute2" : [ "java.util.HashSet", [ ".+" ] ],
} } }
Note: those restriction are regex supported, that's why I use .+.
Then route the user to the service like this:
https://sso.cas.mycas?service=https%3A%2F%2Fthis-is-your-site.example.com
When user attempt to login, the restriction of attribute should triggered.
Is this the kind of behavior you want to implement?
-Andy
Reply all
Reply to author
Forward
Message has been deleted
0 new messages