[cas-user] Re: Exclusive Authentication Source

Thu, 02 Dec 2021 08:04:50 -0800

This is what I'm using...to be honest I can't seem to recall if this does not bother trying the other resources...I think it does what we originally wanted. 

 "authenticationPolicy": {
        "requiredAuthenticationHandlers": ["LDAP"],
        "criteria": {
            "tryAll": false,

            "_class": 
"org.apereo.cas.services.AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria"

        },

        "_class": 
"org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy"

    },

On 12/2/21 10:34 AM, artur miś wrote:

Have you find out solution ?

wtorek, 4 maja 2021 o 17:58:20 UTC+2 C Ryan napisał(a):

    Folks,


    Sorry for the likely stupid post, I swore I had sorted this prior.
    But I have 3 authentication sources defined. LDAP, Radius and
    Google MFA.

    I want to restrict a service to using - and most importantly
    trying - only an explicitly configured service. I.e. If I say LDAP
    as the Auth Resource, upon a failure I do _not_ want it to go
    ahead and try the other resources.


    In cas.properties I have:


    cas.authn.policy.source-selection-enabled=false

    cas.authn.policy.required-handler-authentication-policy-enabled=true

    cas.authn.policy.req.try-all=false


    and an example service definition as below:


    {

         "_id": {

             "$numberLong": "9999999999999"

         },

         "serviceId": "xxxxxxxxxx",

         "name": "SSO CAS Server",

         "expirationPolicy": {

             "deleteWhenExpired": false,

             "notifyWhenDeleted": false,

             "notifyWhenExpired": false,

             "_class": 
"org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy"

         },

         "acceptableUsagePolicy": {

             "enabled": true,

             "_class": 
"org.apereo.cas.services.DefaultRegisteredServiceAcceptableUsagePolicy"

         },

         "proxyPolicy": {

             "_class": 
"org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy"

         },

         "proxyTicketExpirationPolicy": {

             "numberOfUses": {

                 "$numberLong": "0"

             },

             "_class": 
"org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy"

         },

         "serviceTicketExpirationPolicy": {

             "numberOfUses": {

                 "$numberLong": "0"

             },

             "_class": 
"org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy"

         },

         "evaluationOrder": 99999,

         "usernameAttributeProvider": {

             "canonicalizationMode": "NONE",

             "encryptUsername": false,

             "_class": 
"org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider"

         },

         "logoutType": "BACK_CHANNEL",

         "environments": [],

         "attributeReleasePolicy": {

             "principalAttributesRepository": {

                 "mergingStrategy": "MULTIVALUED",

                 "attributeRepositoryIds": [],

                 "ignoreResolvedAttributes": false,

                 "_class": 
"org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository"

             },

             "consentPolicy": {

                 "enabled": true,

                 "order": 0,

                 "_class": 
"org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy"

             },

             "authorizedToReleaseCredentialPassword": false,

             "authorizedToReleaseProxyGrantingTicket": false,

             "excludeDefaultAttributes": false,

             "authorizedToReleaseAuthenticationAttributes": true,

             "order": 0,

             "_class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"

         },

         "multifactorPolicy": {

             "multifactorAuthenticationProviders": [],

             "failureMode": "UNDEFINED",

             "bypassEnabled": false,

             "forceExecution": false,

             "bypassTrustedDeviceEnabled": false,

             "_class": 
"org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy"

         },

         "accessStrategy": {

             "order": 0,

             "enabled": true,

             "ssoEnabled": true,

             "delegatedAuthenticationPolicy": {

                 "allowedProviders": [],

                 "permitUndefined": true,

                 "exclusive": false,

                 "_class": 
"org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy"

             },

             "requireAllAttributes": true,

             "requiredAttributes": {},

             "rejectedAttributes": {},

             "caseInsensitive": false,

             "_class": 
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy"

         },

         "authenticationPolicy": {

             "requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "LDAP" 
]],

             "criteria": {

                 "tryAll": false,

                 "_class": 
"org.apereo.cas.services.AllowedAuthenticationHandlersRegisteredServiceAuthenticationPolicyCriteria"

             },

             "_class": 
"org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy"

         },

         "properties": {},

         "contacts": [],

         "_class": "org.apereo.cas.services.RegexRegisteredService"

    }

    What am I missing?

    Thanks



--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG

--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/c0291e2c-f52c-0b90-91f3-d4ee5e701fef%40caveo.ca.






















					Reply via email to