CAS Shibboleth, check user attribute before granting acess

[Pablo Vidaurri]

Currently using standalone shib. I have a configuration in flow/intercept to check for a user attribute. If it is not a certain value, then we deny him access to the app he trying to log into. Shib allows me to define the entity-id in rely party to force this check, so I can decide which service needs this attribute set.

Now, trying to use CAS-Shib. How can I do the same?

1) Check user attribute, if not value "X" then display message that he needs to do something first.

2) Be able to define which SAML service needs this attribute set.

Thanks.

-psv

[Carl Waldbieser]

Pablo,

We have a config similar to this for a particular service:

{
    "@class": "org.apereo.cas.services.RegexRegisteredService",
    "serviceId": "https://service.example.net/login/saml2",
    "id": 1000,
    "evaluationOrder": 1000,
    "name": "DocuSign",
    "description": "An example service.",
    "attributeReleasePolicy": {
        "@class": "org.apereo.cas.services.ReturnAllowedAttributeReleasePolicy",
        "allowedAttributes": [
            "java.util.ArrayList",
            [
                "eduPersonEntitlement"
            ]
        ],
        "attributeFilter": {
            "@class": "org.apereo.cas.services.support.RegisteredServiceMappedRegexAttributeFilter",
            "completeMatch": false,
            "excludeUnmappedAttributes": false,
            "order": 0,
            "patterns": {
                "@class": "java.util.HashMap",
                "eduPersonEntitlement": "^https://service.example.net/authorized$"
            }
        }
    },
    "accessStrategy": {
        "@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
        "unauthorizedRedirectUrl": "https://cas.example.org/cas/html/403.html",
        "requiredAttributes": {
            "@class": "java.util.HashMap",
            "eduPersonEntitlement": [
                "java.util.HashSet",
                [
                    "https://service.example.net/authorized"
                ]
            ]
        }
    },
    "logo": "https://cdn.lafayette.edu/images/logos/docusign-100x100.png",
    "properties": {
        "@class": "java.util.HashMap",
        "InformationURL": {
            "@class": "org.apereo.cas.services.DefaultRegisteredServiceProperty",
            "values": [
                "java.util.HashSet",
                [
                    "https://help.example.org/service-example-net"
                ]
            ]
        }
    }
}

The idea is to just redirect to an "Unauthorized" page if the principal does not have the required entitlement for the service.  There are other actions you can take as well, though you'd have to check the CAS docs to see what those are.

Thanks,

Carl Waldbieser

ITS

Lafayette College

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/1c29502f-388f-4e2a-b99f-8eb5591dab48n%40apereo.org.

[Pablo Vidaurri]

Perfect, that was exactly what I was looking for. Not sure how I missed this in the documentation.