I need to use cas to manage SSO in a multi-company multi-service-per-company scenario. Thus, I have an user repository where each user is owned by a company, and this company has multiple services handled by a service repository. Those services are going to handle user access via cas. I want cas to avoidusers owned by Company A try to access to services owned by Company B. As the handle authentication mechanism has no cosciousness about the caller service, I'm wondering if put a Grant-User-To-Service Action just before the "redirect" action-state of the login flow could be a valid solution to my problem. All of this beacuse I don't want to have to tell to developers of services "ehy man, handle carefully the logged user beacuse it could be a user of another company" as it could be not appreciated.
My first thought was to put some "attribute requirements" in the RegistereService and populate User attributes in the right way, but it seems to me that "attribute requirements" just filter attributes, doesn't avoid user login or user access to the service. Am I wrong? Thank you Il 03/02/2015 18:56, Mike Seiler ha scritto: > I do this on the service application side. So once authenticated, > the service a user is accessing checks their roles/membershipt and > allows them in or denies them. > > If you are able to pull the "memberof" attributes via CAS you can have > your application stop the process based on that alone without needing > to make a secondary call to your LDAP or AD inside your service > application. > > On Tue, Feb 3, 2015 at 6:29 AM, Giorgio Maria Santini > <gsant...@voiptech.it <mailto:gsant...@voiptech.it>> wrote: > > Hello, > > I'm looking for a way to limit service access on a per-user basis. > Thus, I check for a registeredService, I authenticate the user, > and then I want to stop the authentication process if the user has > no the abilty to access the registeredService. I don't know if > there is a built-in facility in Cas or if I have to customize the > login flow to accomplish the task. Imagine I have users A,B,C, and > services S1 and S2, I'd like to be able to say "users A,B use > services S1 and S2. User C uses service S2 not S1". > > Thanks for any suggestion > > -- > You are currently subscribed tocas-u...@lists.jasig.org > <mailto:cas-user@lists.jasig.org> as:michaelsei...@fuller.edu > <mailto:michaelsei...@fuller.edu> > To unsubscribe, change settings or access archives, > seehttp://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > -- > *Michael Seiler* > -------------------------------------------------- > Systems Integration Engineer > Fuller Theological Seminary > Phone: (970) 306-6105 > michaelsei...@fuller.edu <mailto:michaelsei...@fuller.edu> > > *Please NOTE:* > I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more > immediate help, please contact TSS (626.584.5675) and they can route > the issue to the appropriate person. If this is a business process > life or death emergency, you may call me at the above number. > -- > You are currently subscribed to cas-user@lists.jasig.org as: > gsant...@voiptech.it > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
