Folks,
Sorry for the likely stupid post, I swore I had sorted this prior. But I
have 3 authentication sources defined. LDAP, Radius and Google MFA.
I want to restrict a service to using - and most importantly trying -
only an explicitly configured service. I.e. If I say LDAP as the Auth
Resource, upon a failure I do _not_ want it to go ahead and try the
other resources.
In cas.properties I have:
cas.authn.policy.source-selection-enabled=false
cas.authn.policy.required-handler-authentication-policy-enabled=true
cas.authn.policy.req.try-all=false
and an example service definition as below:
{
"_id": {
"$numberLong": "9999999999999"
},
"serviceId": "xxxxxxxxxx",
"name": "SSO CAS Server",
"expirationPolicy": {
"deleteWhenExpired": false,
"notifyWhenDeleted": false,
"notifyWhenExpired": false,
"_class":
"org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy"
},
"acceptableUsagePolicy": {
"enabled": true,
"_class":
"org.apereo.cas.services.DefaultRegisteredServiceAcceptableUsagePolicy"
},
"proxyPolicy": {
"_class": "org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy"
},
"proxyTicketExpirationPolicy": {
"numberOfUses": {
"$numberLong": "0"
},
"_class":
"org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy"
},
"serviceTicketExpirationPolicy": {
"numberOfUses": {
"$numberLong": "0"
},
"_class":
"org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy"
},
"evaluationOrder": 99999,
"usernameAttributeProvider": {
"canonicalizationMode": "NONE",
"encryptUsername": false,
"_class":
"org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider"
},
"logoutType": "BACK_CHANNEL",
"environments": [],
"attributeReleasePolicy": {
"principalAttributesRepository": {
"mergingStrategy": "MULTIVALUED",
"attributeRepositoryIds": [],
"ignoreResolvedAttributes": false,
"_class":
"org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository"
},
"consentPolicy": {
"enabled": true,
"order": 0,
"_class":
"org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy"
},
"authorizedToReleaseCredentialPassword": false,
"authorizedToReleaseProxyGrantingTicket": false,
"excludeDefaultAttributes": false,
"authorizedToReleaseAuthenticationAttributes": true,
"order": 0,
"_class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"multifactorPolicy": {
"multifactorAuthenticationProviders": [],
"failureMode": "UNDEFINED",
"bypassEnabled": false,
"forceExecution": false,
"bypassTrustedDeviceEnabled": false,
"_class":
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy"
},
"accessStrategy": {
"order": 0,
"enabled": true,
"ssoEnabled": true,
"delegatedAuthenticationPolicy": {
"allowedProviders": [],
"permitUndefined": true,
"exclusive": false,
"_class":
"org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy"
},
"requireAllAttributes": true,
"requiredAttributes": {},
"rejectedAttributes": {},
"caseInsensitive": false,
"_class":
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy"
},
"authenticationPolicy": {
"requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "LDAP" ]],
"criteria": {
"tryAll": false,
"_class":
"org.apereo.cas.services.AllowedAuthenticationHandlersRegisteredServiceAuthenticationPolicyCriteria"
},
"_class":
"org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy"
},
"properties": {},
"contacts": [],
"_class": "org.apereo.cas.services.RegexRegisteredService"
}
What am I missing?
Thanks
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6e25c829-ed25-dc1d-762d-131af62419c7%40caveo.ca.
