This is what I'm using...to be honest I can't seem to recall if this
does not bother trying the other resources...I think it does what we
originally wanted.
"authenticationPolicy": {
"requiredAuthenticationHandlers": ["LDAP"],
"criteria": {
"tryAll": false,
"_class":
"org.apereo.cas.services.AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria"
},
"_class":
"org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy"
},
On 12/2/21 10:34 AM, artur miś wrote:
Have you find out solution ?
wtorek, 4 maja 2021 o 17:58:20 UTC+2 C Ryan napisał(a):
Folks,
Sorry for the likely stupid post, I swore I had sorted this prior.
But I have 3 authentication sources defined. LDAP, Radius and
Google MFA.
I want to restrict a service to using - and most importantly
trying - only an explicitly configured service. I.e. If I say LDAP
as the Auth Resource, upon a failure I do _not_ want it to go
ahead and try the other resources.
In cas.properties I have:
cas.authn.policy.source-selection-enabled=false
cas.authn.policy.required-handler-authentication-policy-enabled=true
cas.authn.policy.req.try-all=false
and an example service definition as below:
{
"_id": {
"$numberLong": "9999999999999"
},
"serviceId": "xxxxxxxxxx",
"name": "SSO CAS Server",
"expirationPolicy": {
"deleteWhenExpired": false,
"notifyWhenDeleted": false,
"notifyWhenExpired": false,
"_class":
"org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy"
},
"acceptableUsagePolicy": {
"enabled": true,
"_class":
"org.apereo.cas.services.DefaultRegisteredServiceAcceptableUsagePolicy"
},
"proxyPolicy": {
"_class":
"org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy"
},
"proxyTicketExpirationPolicy": {
"numberOfUses": {
"$numberLong": "0"
},
"_class":
"org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy"
},
"serviceTicketExpirationPolicy": {
"numberOfUses": {
"$numberLong": "0"
},
"_class":
"org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy"
},
"evaluationOrder": 99999,
"usernameAttributeProvider": {
"canonicalizationMode": "NONE",
"encryptUsername": false,
"_class":
"org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider"
},
"logoutType": "BACK_CHANNEL",
"environments": [],
"attributeReleasePolicy": {
"principalAttributesRepository": {
"mergingStrategy": "MULTIVALUED",
"attributeRepositoryIds": [],
"ignoreResolvedAttributes": false,
"_class":
"org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository"
},
"consentPolicy": {
"enabled": true,
"order": 0,
"_class":
"org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy"
},
"authorizedToReleaseCredentialPassword": false,
"authorizedToReleaseProxyGrantingTicket": false,
"excludeDefaultAttributes": false,
"authorizedToReleaseAuthenticationAttributes": true,
"order": 0,
"_class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
},
"multifactorPolicy": {
"multifactorAuthenticationProviders": [],
"failureMode": "UNDEFINED",
"bypassEnabled": false,
"forceExecution": false,
"bypassTrustedDeviceEnabled": false,
"_class":
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy"
},
"accessStrategy": {
"order": 0,
"enabled": true,
"ssoEnabled": true,
"delegatedAuthenticationPolicy": {
"allowedProviders": [],
"permitUndefined": true,
"exclusive": false,
"_class":
"org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy"
},
"requireAllAttributes": true,
"requiredAttributes": {},
"rejectedAttributes": {},
"caseInsensitive": false,
"_class":
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy"
},
"authenticationPolicy": {
"requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "LDAP"
]],
"criteria": {
"tryAll": false,
"_class":
"org.apereo.cas.services.AllowedAuthenticationHandlersRegisteredServiceAuthenticationPolicyCriteria"
},
"_class":
"org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy"
},
"properties": {},
"contacts": [],
"_class": "org.apereo.cas.services.RegexRegisteredService"
}
What am I missing?
Thanks
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c0291e2c-f52c-0b90-91f3-d4ee5e701fef%40caveo.ca.