In CAS how can I restrict access to only one service if agreement is not yet accepted?

Question

There is a requirement that the users should first accept some license agreement, which exists only in serviceA, in order to be able to login to all other services.

So the process should be:

• user logs-in through CAS.
• Because he has not accepted the agreement he can only login to serviceA
• when he accepts the agreement on serviceA, then he can login to other services also.

Notes:
The code for services other than serviceA cannot be modified.
Also CAS has access to the agreement_accepted flag.

CAS Version used: 5.3.4

Answer 1

Assuming agreement_accepted is an attribute for the authenticating user, you can design two access strategies, S1 and S2, that apply to service A and all other applications.

• For S1, the strategy is the default in CAS where access to service A is granted without issues.
• For S2, you can configure the strategy to only grant access to the application and allow CAS to issue a ticket, if agreement_accepted as an attribute has a value of, let's say, true.

Access strategies for services/applications are detailed here: https://apereo.github.io/cas/5.3.x/installation/Configuring-Service-Access-Strategy.html

See this as an example: https://apereo.github.io/cas/5.3.x/installation/Configuring-Service-Access-Strategy.html#enforce-attributes

You will need to make sure S2 is assigned to all other applications, except the record for Service A.

PS You may also consider bumping your CAS version to 5.3.8, which is the latest in 5.3.x as of this writing.