Hi Marcus, If you are using 5.0.x or later , there should be a requiredAttributes field mentioned in the doc "https://apereo.github.io/cas/5.1.x/installation/Configuring-Service-Access-Strategy.html".
You will need to group all your users that need the restriction to the same service, then do something like below: MyService-101.json { "@class" : "org.apereo.cas.services.RegexRegisteredService", "serviceId" : "https://this-is-your-site.example.com", "name" : "My Service", "id" : 101, "accessStrategy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", "enabled" : true, "requireAllAttributes" : false, "ssoEnabled" : true, "requiredAttributes" : { "@class" : "java.util.HashMap", "requiredAttributeHere1" : [ "java.util.HashSet", [ ".+" ] ], "requiredAttribute2" : [ "java.util.HashSet", [ ".+" ] ], } }} Note: those restriction are regex supported, that's why I use .+. Then route the user to the service like this: https://sso.cas.mycas?service=https%3A%2F%2Fthis-is-your-site.example.com When user attempt to login, the restriction of attribute should triggered. Is this the kind of behavior you want to implement? -Andy On Saturday, 16 September 2017 04:17:54 UTC+8, Marcus Watkins wrote: > > Hi, > > We have two authentication methods -- LDAP and a third party SSO tool > implemented as an AbstractNonInteractiveCredentialsAction. > > Our LDAP group config is nonstandard, so I've also implemented an > attribute lookup by overriding the attributeRepositories bean with my own > PersonAttributeDao to enumerate groups. This method has the added benefit > of also triggering a lookup for the SSO users. > > So far so good, with both methods everyone comes across properly with > attributes. > > Now, though, I have to somehow reject users if they don't have specific > attribute values. I've been looking for the proper hook, and I thought it > was going to be authenticationPolicyFactory, but its isSatisfiedBy never > seems to be called. Before I started plugging breakpoints everywhere I > thought I'd ask: > > Any suggestions on the cleanest way to hook in there to reject a user > based on attribute values? Or have I done this all wrong? > > Thanks! > > -Marcus Watkins > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/fc35cddd-b443-4214-9cab-3dea3a934aec%40apereo.org.