Hi Martin, I have asked this before, see here: https://groups.google.com/a/apereo.org/forum/#!topic/cas-user/SXHIyRWqsT0
We have implemented that into our CAS code, however it is very customized to our specific application, so unfortunately I cannot shared my current setup in detail with you. Our solution does involve your proposed approach 3, but with more customized code in other CAS module to make it work. As for No ideas where to start... If I were to do it again, my check list would be: *(For everything wrote below is just my opinion, does not means it is the best way to do things, implement it as your own risk!)* *1. How to identify an Facebook user* *2. How to know whether the Facebook user is indeed an valid user* *3. How to restrict CAS to only authorized the few user that is valid* ============================================================== *1. How to identify an Facebook user* You can do that by using the https://apereo.github.io/cas/5.3.x/integration/Delegate-Authentication.html#authenticated-user-id Facebook is using a unique identifier for each of it's user, so that id can help you distinguish your user *2. How to know whether the Facebook user is indeed an valid user * You will need an database to stored the relationship between the Facebook user and the valid CAS account. And also, preferably you need a page to allow them to link their Facebook to their CAS account, otherwise you will need to manually input their Facebook uid, which will be impractical unless you have only a few Facebook users... You can integrate that page inside of CAS, or just make a random page on your website somewhere, should work either way. *3. How to restrict CAS to only authorized the few user that is valid* This is the part you question ask in detail, so I try to add some comment on it: CAS is flexible, so many any place in CAS can be edited to allow and stop user to pass through, I think most of your approaches is possible to work. >From my perspective it is not which one is possible, rather which one is a more appropriate way to do it and will required less efforts, and is easier to maintenance: *Approach 1*: I think this one is the more appropriate one to do out of all of your approaches given. Since you need to enforce your users based on database, maybe you can try using the groovy scripts one? https://apereo.github.io/cas/5.3.x/installation/Configuring-Service-Access-Strategy.html#groovy. *doPrincipalAttributesAllowServiceAccess* seems like a good function to starts with :D *Approach 2*: Never used interrupt authentication before, so I will skip analyzing it :) *Approach 3*: This one is definitely possible as I stated above, however it does makes the code hard to maintain. When it says "It is best to AVOID overlaying/modifying flow configuration files by hand manually" they are not joking. I would suggests avoid this route if possible. *Approach 4*: That seems a bit over-engineered to me too... ============================================================ See if other also may have some more insight on this topic? Cheers! - Andy -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/aba6bab2-38d0-4637-96f3-6f47f2843c82%40apereo.org.
