Hi Baron, As Pascal Rigaux wrote earlier today, if you want CAS to distinguish shib-cas-authn plugin requests by entityId and match different entityIds with different registered services, you'll want to set "shibcas.entityIdLocation=embed" in shib-cas-authn, so that the *entire* service value including the '&' and entityId=[value] gets urlencoded, that is, with the entityId embedded. Likewise, when you mock up the shib-cas connector behavior, you'll want to urlencode the entire service value including the entityId.
Dan Ellentuck Columbia University I.T. On Thu, Jun 15, 2023 at 4:43 PM Baron Fujimoto <ba...@hawaii.edu> wrote: > Hi Pascal, > > Shouldn't I be able to simulate this from CAS itself for testing purposes? > E.g. If I try the following as a test URL: > < > https://cas.example.edu/cas/login?renew=true&service=https%3A%2F%2Fexample%2Eedu%2Fidp%2FAuthn%2FExternal%3Fconversation%3De1s2&entityId=FooBar > > > > It appears to generate a request to our CAS that is functionally > equivalent to one coming from our IdP using the shib-cas-authn plugin. If > that's the case, then it seems like what's awry should be on the CAS config > side, and not the IdP/shib-cas-authn config? > > Ray, > > Our longer term plan is to consolidate our CAS and SAML protocols into one > service, but until we do so, we're trying to keep their legacy division of > labor separate. > > On Wed, Jun 14, 2023 at 9:10 PM 'Pascal Rigaux' via CAS Community < > cas-user@apereo.org> wrote: > >> Hi, >> >> You need to use "shibcas.entityIdLocation=embed" in shib-cas-authn >> >> You may also need "idp.session.enabled = false" (or my simple >> alternative >> https://urldefense.com/v3/__https://github.com/Unicon/shib-cas-authn/pull/8__;!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erd45lsG2K$ >> which does >> not break shib idp SLO) >> >> cu >> >> Baron Fujimoto <ba...@hawaii.edu> a écrit : >> >> > We're using CAS 6.6 as an AuthN front end using Unicon's shib-casn-authn >> > (v4)[*] plugin for the Shibboleth IdP. >> > >> > We have it working for the IdP generally, but now we'd like to apply >> more >> > specific actions based for certain entityIds. >> > >> > For example, given an entityId="FooBar", this may appear in the Tomcat >> > access log as: >> > >> > "GET >> > >> /cas/login?renew=true&service=https%3A%2F%2Fexample%2Eedu%2Fidp%2FAuthn%2FExternal%3Fconversation%3De1s2&entityId=FooBar >> > HTTP/1.1" >> > >> > If I use a serviceId regex like: >> > "^ >> https://urldefense.com/v3/__https://example*5C*5C.edu/idp/Authn/External.*__;JSUr!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erd_h9dp6V$ >> " >> > >> > It will match anything coming from the IdP via the shib-cas plugin. >> > >> > However, as soon as I try to match on a particular entityId of interest, >> > the serviceId regex fails. E.g.: >> > "^ >> https://urldefense.com/v3/__https://example*5C*5C.edu/idp/Authn/External.*entityId=FooBar.*__;JSUrKw!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erd-P3ahvO$ >> " >> > >> > CAS appears to drop all the parameters after the "&". I.e. this is >> > sufficient to cause a non-match for anything: >> > "^ >> https://urldefense.com/v3/__https://example*5C*5C.edu/idp/Authn/External.*entityId.*__;JSUrKw!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erd6kJfSqc$ >> " >> > >> > On the CAS side, it only appears to see the service as: >> > service= >> https://urldefense.com/v3/__https://example.edu/idp/Authn/External?conversation=e1s2__;!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erdx9RrxnZ$ >> > >> > Is there a way to use the entityId serviceId regex to accomplish our >> goal? >> > >> > CAS does seem to actually capture the entityId, because it shows up in >> logs >> > like: >> > >> > DEBUG [org.apereo.cas.web.flow.actions.RedirectToServiceAction] - >> <Located >> > service [AbstractWebApplicationService(id= >> > >> https://urldefense.com/v3/__https://example.edu/idp/Authn/External?conversation=e1s2__;!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erdx9RrxnZ$ >> , originalUrl= >> > >> https://urldefense.com/v3/__https://example.edu/idp/Authn/External?conver__;!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erd1Bq1bMB$ >> > sation=e1s2, artifactId=null, principal=foo_user, source=service, >> > loggedOutAlready=false, format=XML, attributes={service=[ >> > >> https://urldefense.com/v3/__https://example.edu/idp/Authn/External?conversation=e1s2__;!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erdx9RrxnZ$ >> ], >> > entityId=[FooBar], renew=[true], conversation=[e1s2]})] from the >> context> >> > >> > Although the log suggests it is assigned to an (context?) attribute, >> this >> > doesn't seem to be accessible to the ABAC type accessStrategy. For >> example, >> > this doesn't seem to work in the service registration: >> > "accessStrategy" : { >> > "@class" : >> > "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", >> > "requiredAttributes" : { >> > "@class" : "java.util.HashMap", >> > "entityId" : [ "java.util.HashSet", [ "FooBar" ] ], >> > } >> > } >> > >> > Is there a way to accomplish our goal using entityId via an >> accessStrategy >> > if not via the serviceId regex? >> > >> > Or is there some other recommended way of going about this? >> > >> > [*] shib-cas-authn: < >> https://urldefense.com/v3/__https://github.com/Unicon/shib-cas-authn__;!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erd_8LZ0OQ$ >> > >> > -- >> > Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology >> Services >> > minutas cantorum, minutas balorum, minutas carboratum descendus pantorum >> > >> > -- >> > - Website: >> https://urldefense.com/v3/__https://apereo.github.io/cas__;!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erd9snG5t-$ >> > - Gitter Chatroom: >> https://urldefense.com/v3/__https://gitter.im/apereo/cas__;!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erd9patjoi$ >> > - List Guidelines: >> https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erd0XdBQ6V$ >> > - Contributions: >> https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erd7UYH-OT$ >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "CAS Community" group. >> > To unsubscribe from this group and stop receiving emails from it, >> > send an email to cas-user+unsubscr...@apereo.org. >> > To view this discussion on the web visit >> > >> https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL3OSz1wh_d8UOEYsVKwcAQoUB0z8GNJq8rS9pQGFb4rdg*40mail.gmail.com__;JQ!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erd80iTwQ5$ >> . >> >> >> >> -- >> Pascal Rigaux >> >> -- >> - Website: >> https://urldefense.com/v3/__https://apereo.github.io/cas__;!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erd9snG5t-$ >> - Gitter Chatroom: >> https://urldefense.com/v3/__https://gitter.im/apereo/cas__;!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erd9patjoi$ >> - List Guidelines: >> https://urldefense.com/v3/__https://goo.gl/1VRrw7__;!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erd0XdBQ6V$ >> - Contributions: >> https://urldefense.com/v3/__https://goo.gl/mh7qDG__;!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erd7UYH-OT$ >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to cas-user+unsubscr...@apereo.org. >> To view this discussion on the web visit >> https://urldefense.com/v3/__https://groups.google.com/a/apereo.org/d/msgid/cas-user/20230615091002.Horde.PpIVcaF2IsERIA1tLKtPJAC*40courrier.univ-paris1.fr__;JQ!!PvDODwlR4mBZyAb0!XOw8cogLISTxBKxS_kOIBL7GNkSzLTjXE8c__kXWVnT1EfrcmHyntXM5NGMnA1Tn_79jc7erd0OjFMzA$ >> . >> > > > -- > Baron Fujimoto <ba...@hawaii.edu> ::: UH Information Technology Services > minutas cantorum, minutas balorum, minutas carboratum descendus pantorum > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0eXfzECyt6E6e20ph01sdjyAvffa%2BwiB7N99ZmSXD9Aw%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL0eXfzECyt6E6e20ph01sdjyAvffa%2BwiB7N99ZmSXD9Aw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAFqYg5JAHkBWUDvJNBMTBd0fjXibee5ubB-9Dn8W_38SeXvC2w%40mail.gmail.com.
