[cas-user] Limiting login forms on CAS login page in multiple auth handler environment
In our CAS environment, some services need to authenticate users using LDAP
(Active Directory) and others need to authenticate through delegation with
Azure.
Ideally, the we'd like to have the user be presented with only a single
login form on the CAS login page. With the delegated authentication, this
can be achieved with the use of allowedProviders list in the
delegatedAuthenticationPolicy block of the service definition.
For example:
"accessStrategy" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"delegatedAuthenticationPolicy" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
// Allowed providers is a list of external identity provider names
(i.e. client
// names from cas.properties)
"allowedProviders" : [ "java.util.ArrayList", [ "Student Login",
"Employee Login”] ],
"permitUndefined": true,
"exclusive": true
}
}
This works well for delegated services. However, I have not been able to
find a similar method for services that are authenticated via LDAP, and the
login page still shows the delegated login buttons (“Student Login” and
“Employee Login”) beside the usual CAS login form. I have tried using
requiredHandlers, but this doesn't have a noticeable effect (from
https://apereo.github.io/cas/6.1.x/services/Configuring-Service-Required-AuthN.html
and this blog
https://apereo.github.io/2019/12/23/cas62x-authn-handler-resolution/):
{
/*
* Custom applications requiring CAS authentication against LDAP (Active
Directory)
*/
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^https://exampleserver.com/studentApp/.*";,
"name" : "Student App",
"id" : 2020082414,
"evaluationOrder" : 5,
"enabled" : true,
"requiredHandlers" : [ "java.util.HashSet", [ "StudentActiveDirectory" ]
],
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"sn" : "sn",
"cn" : "cn"
}
}
}
And of course, here are the appropriate snippets from our cas.properties:
cas.authn.ldap[0].order:0
cas.authn.ldap[0].name:EmployeeActiveDirectory
...
cas.authn.ldap[1].order:1
cas.authn.ldap[1].name:StudentActiveDirectory
...
cas.authn.pac4j.saml[0].clientName: Employee Login
...
cas.authn.pac4j.saml[1].clientName: Student Login
This warning shows up in the cas.log:
2020-08-24 10:03:06,162 WARN
[org.apereo.cas.services.AbstractRegisteredService] -
And this, as well, though I'm not sure if it's related, I wouldn't expect
to see it considering the use of requiredHandlers in the service definition:
2020-08-24 10:03:17,441 WARN
[org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy]
-
We're using CAS 6.2.1 on Tomcat 9.0.33 and Java 11.
Any ideas and/or suggestions are greatly appreciated.
Doug
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/d2368420-c70b-4eea-b6fc-734154a5ea60n%40apereo.org.
[cas-user] Display single login form in multiple authenticator environment
In our CAS environment, some services need to authenticate users using LDAP
(Active Directory) and others need to authenticate through delegation with
Azure.
Ideally, the we'd like to have the user be presented with only a single
login form on the CAS login page. With the delegated authentication, this
can be achieved with the use of allowedProviders list in the
delegatedAuthenticationPolicy block of the service definition.
For example:
"accessStrategy" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"delegatedAuthenticationPolicy" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
// Allowed providers is a list of external identity provider names
(i.e. client
// names from cas.properties)
"allowedProviders" : [ "java.util.ArrayList", [ "Student Login",
"Employee Login"] ],
"permitUndefined": true,
"exclusive": true
}
}
This works well for delegated services. However, I have not been able to
find a similar method for services that are authenticated via LDAP, and the
login page still shows the delegated login buttons beside the usual CAS
login form. I have tried using requiredAuthenticationHandlers, but this
doesn't have a noticeable effect (from
https://apereo.github.io/cas/6.1.x/services/Configuring-Service-Required-AuthN.html
and this blog
https://apereo.github.io/2019/12/23/cas62x-authn-handler-resolution/):
{
/*
* Custom applications requiring CAS authentication against LDAP (Active
Directory)
*/
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^https://exampleserver.com/studentApp/.*";,
"name" : "Student App",
"id" : 2020082414,
"evaluationOrder" : 5,
"enabled" : true,
"requiredHandlers" : [ "java.util.HashSet", [ "StudentActiveDirectory" ]
],
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"sn" : "sn",
"cn" : "cn"
}
}
}
And of course, here are the appropriate snippets from our cas.properties:
cas.authn.ldap[0].order:0
cas.authn.ldap[0].name: EmployeeActiveDirectory
...
cas.authn.ldap[1].order:1
cas.authn.ldap[1].name: StudentActiveDirectory
...
cas.authn.pac4j.saml[0].clientName: Employee Login
...
cas.authn.pac4j.saml[1].clientName: Student Login
This warning shows up in the cas.log:
2020-08-24 10:03:06,162 WARN
[org.apereo.cas.services.AbstractRegisteredService] -
And this, as well, though I'm not sure if it's related, I wouldn't expect
to see it considering the use of requiredHandlers in the service definition:
2020-08-24 10:03:17,441 WARN
[org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy]
-
We're using CAS 6.2.1 on Tomcat 9.0.33 and Java 11.
Any ideas and/or suggestions are greatly appreciated.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9dd0b96b-eeb3-40bb-a2c3-0769d32a8f89n%40apereo.org.
