[cas-user] json services and optional delegated login

Fri, 09 May 2025 10:42:42 -0700 

I have a oidc delegated service to azure and it has 
cas.authn.pac4j.oidc[0].generic.client-name=AzureClient
cas.authn.pac4j.oidc[0].generic.auto-redirect-type=SERVER

I then have a few service files that have:
"accessStrategy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled": true,
"ssoEnabled": true,
"delegatedAuthenticationPolicy" : {
"@class" : 
"org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy"
,
"allowedProviders" : [ "java.util.ArrayList", [ "AzureClient"] ],
"permitUndefined": false,
"exclusive": true
}
}

Auto redirect to Azure works well.

But now I have another service that should not redirect and instead login 
via the cas/login page. For that, my service file simply has this for 
acceessStragegy:
"accessStrategy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"enabled": true,
"ssoEnabled": true
},

But this is still redirecting to the AzureClient.
If I remove
cas.authn.pac4j.oidc[0].generic.auto-redirect-type=SERVER
from config, it is then not redirecting my clients intended for delegated 
login to AzureClient.

Any workarounds or something that I am missing? I also made sure the 
evaluationOrder looks for services meant for cas/login authentication first.

Another strange thing regarding evalutionOrder, I thought first one it 
finds is the one it uses. But i see in the logs, CAS is going thru each one 
with messages like

 WHAT: {result=Client Access Granted,
 WHAT: {result=Client Access Denied,  
 WHAT: {result=Client Access Granted,

regex matches both 1st and 3rd but i want 1st one (more specific regex) to 
be used.

-psv
  

-- 
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/ae28f626-9e96-4930-8bb7-841ef685964an%40apereo.org.

Reply via email to