Baron, You could configure Shib to use SAML2 proxy with Cas as a SAML2 IdP. With the Shib Cas plugin, you are authenticating for Shib as a service, rather than the entity which is the destination (FooBar).
Ray On Wed, 2023-06-14 at 09:44 -1000, Baron Fujimoto wrote: Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information. We're using CAS 6.6 as an AuthN front end using Unicon's shib-casn-authn (v4)[*] plugin for the Shibboleth IdP. We have it working for the IdP generally, but now we'd like to apply more specific actions based for certain entityIds. For example, given an entityId="FooBar", this may appear in the Tomcat access log as: "GET /cas/login?renew=true&service=https%3A%2F%2Fexample%2Eedu%2Fidp%2FAuthn%2FExternal%3Fconversation%3De1s2&entityId=FooBar HTTP/1.1" If I use a serviceId regex like: "^https://example\\.edu/idp/Authn/External.+" It will match anything coming from the IdP via the shib-cas plugin. However, as soon as I try to match on a particular entityId of interest, the serviceId regex fails. E.g.: "^https://example\\.edu/idp/Authn/External.+entityId=FooBar.+" CAS appears to drop all the parameters after the "&". I.e. this is sufficient to cause a non-match for anything: "^https://example\\.edu/idp/Authn/External.+entityId.+" On the CAS side, it only appears to see the service as: service=https://example.edu/idp/Authn/External?conversation=e1s2 Is there a way to use the entityId serviceId regex to accomplish our goal? CAS does seem to actually capture the entityId, because it shows up in logs like: DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - <Located service [AbstractWebApplicationService(id=https://example.edu/idp/Authn/External?conversation=e1s2, originalUrl=https://example.edu/idp/Authn/External?conver sation=e1s2, artifactId=null, principal=foo_user, source=service, loggedOutAlready=false, format=XML, attributes={service=[https://example.edu/idp/Authn/External?conversation=e1s2], entityId=[FooBar], renew=[true], conversation=[e1s2]})] from the context> Although the log suggests it is assigned to an (context?) attribute, this doesn't seem to be accessible to the ABAC type accessStrategy. For example, this doesn't seem to work in the service registration: "accessStrategy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", "requiredAttributes" : { "@class" : "java.util.HashMap", "entityId" : [ "java.util.HashSet", [ "FooBar" ] ], } } Is there a way to accomplish our goal using entityId via an accessStrategy if not via the serviceId regex? Or is there some other recommended way of going about this? [*] shib-cas-authn: <https://github.com/Unicon/shib-cas-authn> -- Baron Fujimoto <ba...@hawaii.edu<mailto:ba...@hawaii.edu>> ::: UH Information Technology Services minutas cantorum, minutas balorum, minutas carboratum descendus pantorum -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/3028a6ec8845630ac4feb07dd69b4c04d512f882.camel%40uvic.ca.