Strict Authentication Source Policy with newer Authentication Policy approach - CAS 6.2.3
Colin Ryan
Folks,
I have 2 authentication sources. I have services that I want strictly to only accept success via a specific source. Even if the same credential pair could succeed in either.
I've been trying to user the "newer"? authenticationPolicy approaches as the logs in my 6.2.3 builds were warning about deprecation of the requiredAuth configurations.
So I have LDAP and Radius both backed by the same LDAP but for
other reasons I want a particular policy to specifically require
authentication to one or the other.
So to force Radius only to be accepted in a service definition I've tried the below. But if for example, I fail on the Radius auth and then try again it ends up Authenticating against LDAP1.
Missing something?
authenticationPolicy:
{
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy",
"requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "Radius" ]],
criteria": {
"@class": "org.apereo.cas.services.AllowedAuthenticationHandlersRegisteredServiceAuthenticationPolicyCriteria"
}
}
Thanks
Colin
Ray Bon
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
--
Colin Ryan
Ray,
That's where I picked up the configurations for what I've been trying but it seems like it's still falling through past the Handler I want to be required.
Was just wondering if I'm misinterpreting the need for or the context of using the criteria configurations as well.
The configuration example I outlined is basically pulled from that page.
Colin
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2cc902b81b87bb8b64c476842c72dc9451089ae2.camel%40uvic.ca.
Colin Ryan
So this is the current format of this configuration, I'm using
the wildcard and the /cas/login page itself to simply verify
things.
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(https|imaps)://.*",
"name" : "HTTPS and IMAPS",
"id" : 10000001,
"evaluationOrder": 99999
"authenticationPolicy":
{
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy",
"requiredAuthenticationHandlers": ["java.util.TreeSet", ["Radius"]],
"excludedAuthenticationHandlers": ["java.util.TreeSet", ["LDAP"]]
}
}
I've also put the following in cas.properties
cas.authn.policy.required-handler-authentication-policy-enabled=true
cas.authn.policy.req.try-all=false cas.authn.policy.req.handler-name=Radius cas.authn.policy.req.enabled=true
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/cc75a06d-7d74-8398-f56c-e60c450783dd%40caveo.ca.
