Hi,
You need to use "shibcas.entityIdLocation=embed" in shib-cas-authn
You may also need "idp.session.enabled = false" (or my simple
alternative https://github.com/Unicon/shib-cas-authn/pull/8 which does
not break shib idp SLO)
cu
Baron Fujimoto <ba...@hawaii.edu> a écrit :
We're using CAS 6.6 as an AuthN front end using Unicon's shib-casn-authn
(v4)[*] plugin for the Shibboleth IdP.
We have it working for the IdP generally, but now we'd like to apply more
specific actions based for certain entityIds.
For example, given an entityId="FooBar", this may appear in the Tomcat
access log as:
"GET
/cas/login?renew=true&service=https%3A%2F%2Fexample%2Eedu%2Fidp%2FAuthn%2FExternal%3Fconversation%3De1s2&entityId=FooBar
HTTP/1.1"
If I use a serviceId regex like:
"^https://example\\.edu/idp/Authn/External.+";
It will match anything coming from the IdP via the shib-cas plugin.
However, as soon as I try to match on a particular entityId of interest,
the serviceId regex fails. E.g.:
"^https://example\\.edu/idp/Authn/External.+entityId=FooBar.+";
CAS appears to drop all the parameters after the "&". I.e. this is
sufficient to cause a non-match for anything:
"^https://example\\.edu/idp/Authn/External.+entityId.+";
On the CAS side, it only appears to see the service as:
service=https://example.edu/idp/Authn/External?conversation=e1s2
Is there a way to use the entityId serviceId regex to accomplish our goal?
CAS does seem to actually capture the entityId, because it shows up in logs
like:
DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - <Located
service [AbstractWebApplicationService(id=
https://example.edu/idp/Authn/External?conversation=e1s2, originalUrl=
https://example.edu/idp/Authn/External?conver
sation=e1s2, artifactId=null, principal=foo_user, source=service,
loggedOutAlready=false, format=XML, attributes={service=[
https://example.edu/idp/Authn/External?conversation=e1s2],
entityId=[FooBar], renew=[true], conversation=[e1s2]})] from the context>
Although the log suggests it is assigned to an (context?) attribute, this
doesn't seem to be accessible to the ABAC type accessStrategy. For example,
this doesn't seem to work in the service registration:
"accessStrategy" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"requiredAttributes" : {
"@class" : "java.util.HashMap",
"entityId" : [ "java.util.HashSet", [ "FooBar" ] ],
}
}
Is there a way to accomplish our goal using entityId via an accessStrategy
if not via the serviceId regex?
Or is there some other recommended way of going about this?
[*] shib-cas-authn: <https://github.com/Unicon/shib-cas-authn>
--
Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum descendus pantorum
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google
Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL3OSz1wh_d8UOEYsVKwcAQoUB0z8GNJq8rS9pQGFb4rdg%40mail.gmail.com.
--
Pascal Rigaux
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/20230615091002.Horde.PpIVcaF2IsERIA1tLKtPJAC%40courrier.univ-paris1.fr.
