My service is test-1.json
{
"@class": "org.apereo.cas.services.RegexRegisteredService",
"serviceId": "^(http|https|imaps)://serwis.org/casphp*",
"name": "test",
"id": 1,
"description": "Straggle Today!",
"authenticationPolicy": {
"requiredAuthenticationHandlers": ["java.util.TreeSet", [ "everest"
]],
"criteria": {
"try-All": false, <- this probablly shoud make magic but it
didn't
"@class":
"org.apereo.cas.services.AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria"
},
"@class":
"org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy"
}
}
I am not included in cas.propierties any directive like
cas.auth.policy.<xxx>:
cas.authn.policy.any.try-All
or
cas.authn.policy.all.enabled
or
cas.authn.policy.source-selection-enabled
or
cas.authn.policy.required-handler-authentication-policy-enabled
My version Cas-overlay is 6.3.2 on docker ,I have 3 AD handlers and i
test nonserviced login via https://exaple.org/casphp and i can see that
some times it use ppm handler or second everest one becouse userx is
in both it semms to be ok.If i test fore service via REST API
(becouse for this sandbox cas i not conected any servis phisicaly yet so
i test it via comand line but it doesn't seem be a reason of
problems),but i trully blieve that you have some hack to manage it.
TEST curl:
from server side:
cat api_test.bash
#!/bin/bash
ff=`curl -k -X POST -H 'Content-Type: Application/x-www-form-urlencoded' -H
'Accept: applications/json' https://example.org/casphp/v1/tickets -d
'username=userx&password=xxx'`
echo $ff
dd="curl -X POST -H \"Content-Type: Application/x-www-form-urlencoded\" -H
\"Accept: application/json\"
https://example.org/casphp/v1/tickets/"$ff"?service=https://serwis.org/casphp";
echo "dd:$dd"
st=`$dd`
echo "$st"
vv="curl -k
https://example.org/casphp/p3/serviceValidate?service=https://serwice.org/casphp&ticket="$st
echo "|$vv|"
output=`$vv`1
echo "|$output|"
So i received:
|<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>userx</cas:user>
<cas:attributes>
<cas:credentialType>UsernamePasswordCredential</cas:credentialType>
<cas:isFromNewLogin>true</cas:isFromNewLogin>
<cas:authenticationDate>2021-12-03T11:25:14.792314Z</cas:authenticationDate>
<cas:authenticationMethod>ppm</cas:authenticationMethod>
<cas:successfulAuthenticationHandlers>ppm</cas:successfulAuthenticationHandlers>
< - here i want to have deterministic everest ( not sometimes ppm or
everest )
<cas:longTermAuthenticationRequestTokenUsed>false</cas:longTermAuthenticationRequestTokenUsed>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>|
Restult is not deterministic .User is receiving auth sometimes from ppm
sometimes from everest . I dicsovered that if i restart cas container : I
coud have ppm and it seems that to te next restart keep ppm handler .If
i meke next restart od cas i can have ppm or everest. Between restart it
looks like it keep handler chosed at the begginig. It is litle bit magic
for me.
piątek, 3 grudnia 2021 o 08:58:43 UTC+1 artur miś napisał(a):
> Could you please if you can show cas.auth.policies too ,you have
> connectet to this solution ?
>
> AM
> czwartek, 2 grudnia 2021 o 17:04:45 UTC+1 C Ryan napisał(a):
>
>> This is what I'm using...to be honest I can't seem to recall if this does
>> not bother trying the other resources...I think it does what we originally
>> wanted.
>>
>>
>> "authenticationPolicy": {
>> "requiredAuthenticationHandlers": ["LDAP"],
>> "criteria": {
>> "tryAll": false,
>> "_class":
>> "org.apereo.cas.services.AnyAuthenticationHandlerRegisteredServiceAuthenticationPolicyCriteria"
>> },
>> "_class":
>> "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy"
>> },
>> On 12/2/21 10:34 AM, artur miś wrote:
>>
>> Have you find out solution ?
>>
>> wtorek, 4 maja 2021 o 17:58:20 UTC+2 C Ryan napisał(a):
>>
>>> Folks,
>>>
>>>
>>> Sorry for the likely stupid post, I swore I had sorted this prior. But I
>>> have 3 authentication sources defined. LDAP, Radius and Google MFA.
>>>
>>> I want to restrict a service to using - and most importantly trying -
>>> only an explicitly configured service. I.e. If I say LDAP as the Auth
>>> Resource, upon a failure I do _not_ want it to go ahead and try the other
>>> resources.
>>>
>>>
>>> In cas.properties I have:
>>>
>>>
>>> cas.authn.policy.source-selection-enabled=false
>>>
>>> cas.authn.policy.required-handler-authentication-policy-enabled=true
>>>
>>> cas.authn.policy.req.try-all=false
>>>
>>>
>>> and an example service definition as below:
>>>
>>>
>>> {
>>>
>>> "_id": {
>>>
>>> "$numberLong": "9999999999999"
>>>
>>> },
>>>
>>> "serviceId": "xxxxxxxxxx",
>>>
>>> "name": "SSO CAS Server",
>>>
>>> "expirationPolicy": {
>>>
>>> "deleteWhenExpired": false,
>>>
>>> "notifyWhenDeleted": false,
>>>
>>> "notifyWhenExpired": false,
>>>
>>> "_class":
>>> "org.apereo.cas.services.DefaultRegisteredServiceExpirationPolicy"
>>>
>>> },
>>>
>>> "acceptableUsagePolicy": {
>>>
>>> "enabled": true,
>>>
>>> "_class":
>>> "org.apereo.cas.services.DefaultRegisteredServiceAcceptableUsagePolicy"
>>>
>>> },
>>>
>>> "proxyPolicy": {
>>>
>>> "_class":
>>> "org.apereo.cas.services.RefuseRegisteredServiceProxyPolicy"
>>>
>>> },
>>>
>>> "proxyTicketExpirationPolicy": {
>>>
>>> "numberOfUses": {
>>>
>>> "$numberLong": "0"
>>>
>>> },
>>>
>>> "_class":
>>> "org.apereo.cas.services.DefaultRegisteredServiceProxyTicketExpirationPolicy"
>>>
>>> },
>>>
>>> "serviceTicketExpirationPolicy": {
>>>
>>> "numberOfUses": {
>>>
>>> "$numberLong": "0"
>>>
>>> },
>>>
>>> "_class":
>>> "org.apereo.cas.services.DefaultRegisteredServiceServiceTicketExpirationPolicy"
>>>
>>> },
>>>
>>> "evaluationOrder": 99999,
>>>
>>> "usernameAttributeProvider": {
>>>
>>> "canonicalizationMode": "NONE",
>>>
>>> "encryptUsername": false,
>>>
>>> "_class":
>>> "org.apereo.cas.services.DefaultRegisteredServiceUsernameProvider"
>>>
>>> },
>>>
>>> "logoutType": "BACK_CHANNEL",
>>>
>>> "environments": [],
>>>
>>> "attributeReleasePolicy": {
>>>
>>> "principalAttributesRepository": {
>>>
>>> "mergingStrategy": "MULTIVALUED",
>>>
>>> "attributeRepositoryIds": [],
>>>
>>> "ignoreResolvedAttributes": false,
>>>
>>> "_class":
>>> "org.apereo.cas.authentication.principal.DefaultPrincipalAttributesRepository"
>>>
>>> },
>>>
>>> "consentPolicy": {
>>>
>>> "enabled": true,
>>>
>>> "order": 0,
>>>
>>> "_class":
>>> "org.apereo.cas.services.consent.DefaultRegisteredServiceConsentPolicy"
>>>
>>> },
>>>
>>> "authorizedToReleaseCredentialPassword": false,
>>>
>>> "authorizedToReleaseProxyGrantingTicket": false,
>>>
>>> "excludeDefaultAttributes": false,
>>>
>>> "authorizedToReleaseAuthenticationAttributes": true,
>>>
>>> "order": 0,
>>>
>>> "_class": "org.apereo.cas.services.ReturnAllAttributeReleasePolicy"
>>>
>>> },
>>>
>>> "multifactorPolicy": {
>>>
>>> "multifactorAuthenticationProviders": [],
>>>
>>> "failureMode": "UNDEFINED",
>>>
>>> "bypassEnabled": false,
>>>
>>> "forceExecution": false,
>>>
>>> "bypassTrustedDeviceEnabled": false,
>>>
>>> "_class":
>>> "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy"
>>>
>>> },
>>>
>>> "accessStrategy": {
>>>
>>> "order": 0,
>>>
>>> "enabled": true,
>>>
>>> "ssoEnabled": true,
>>>
>>> "delegatedAuthenticationPolicy": {
>>>
>>> "allowedProviders": [],
>>>
>>> "permitUndefined": true,
>>>
>>> "exclusive": false,
>>>
>>> "_class":
>>> "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy"
>>>
>>> },
>>>
>>> "requireAllAttributes": true,
>>>
>>> "requiredAttributes": {},
>>>
>>> "rejectedAttributes": {},
>>>
>>> "caseInsensitive": false,
>>>
>>> "_class":
>>> "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy"
>>>
>>> },
>>>
>>> "authenticationPolicy": {
>>>
>>> "requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "LDAP"
>>> ]],
>>>
>>> "criteria": {
>>>
>>> "tryAll": false,
>>>
>>> "_class":
>>> "org.apereo.cas.services.AllowedAuthenticationHandlersRegisteredServiceAuthenticationPolicyCriteria"
>>>
>>> },
>>>
>>> "_class":
>>> "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy"
>>>
>>> },
>>>
>>> "properties": {},
>>>
>>> "contacts": [],
>>>
>>> "_class": "org.apereo.cas.services.RegexRegisteredService"
>>>
>>> }
>>>
>>> What am I missing?
>>>
>>> Thanks
>>>
>>>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/46124c34-aa43-4a3c-bbd5-a7090f7fcd4en%40apereo.org.
