Allow mixed CAS protection mode
Currently we can either open CAS issuer so any CAS clients can use the LL::NG portal without being declared in configuration, or require that every CAS client is defined in configuration, and apply access rules and check authentication levels.
We could provide a mixed mode:
- Apply access rule for CAS applications defined in configuration
- Allow all other CAS applications if they are not in configuration
The goal is to enforce access control or minimum authentication level on a few CAS applications, without being forced to register all existing CAS applications in LL::NG configuration