[cas-user] Limiting login forms on CAS login page in multiple auth handler environment
In our CAS environment, some services need to authenticate users using LDAP (Active Directory) and others need to authenticate through delegation with Azure. Ideally, the we'd like to have the user be presented with only a single login form on the CAS login page. With the delegated authentication, this can be achieved with the use of allowedProviders list in the delegatedAuthenticationPolicy block of the service definition. For example: "accessStrategy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", "delegatedAuthenticationPolicy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy", // Allowed providers is a list of external identity provider names (i.e. client // names from cas.properties) "allowedProviders" : [ "java.util.ArrayList", [ "Student Login", "Employee Login”] ], "permitUndefined": true, "exclusive": true } } This works well for delegated services. However, I have not been able to find a similar method for services that are authenticated via LDAP, and the login page still shows the delegated login buttons (“Student Login” and “Employee Login”) beside the usual CAS login form. I have tried using requiredHandlers, but this doesn't have a noticeable effect (from https://apereo.github.io/cas/6.1.x/services/Configuring-Service-Required-AuthN.html and this blog https://apereo.github.io/2019/12/23/cas62x-authn-handler-resolution/): { /* * Custom applications requiring CAS authentication against LDAP (Active Directory) */ "@class" : "org.apereo.cas.services.RegexRegisteredService", "serviceId" : "^https://exampleserver.com/studentApp/.*";, "name" : "Student App", "id" : 2020082414, "evaluationOrder" : 5, "enabled" : true, "requiredHandlers" : [ "java.util.HashSet", [ "StudentActiveDirectory" ] ], "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy", "allowedAttributes" : { "@class" : "java.util.TreeMap", "sn" : "sn", "cn" : "cn" } } } And of course, here are the appropriate snippets from our cas.properties: cas.authn.ldap[0].order:0 cas.authn.ldap[0].name:EmployeeActiveDirectory ... cas.authn.ldap[1].order:1 cas.authn.ldap[1].name:StudentActiveDirectory ... cas.authn.pac4j.saml[0].clientName: Employee Login ... cas.authn.pac4j.saml[1].clientName: Student Login This warning shows up in the cas.log: 2020-08-24 10:03:06,162 WARN [org.apereo.cas.services.AbstractRegisteredService] - And this, as well, though I'm not sure if it's related, I wouldn't expect to see it considering the use of requiredHandlers in the service definition: 2020-08-24 10:03:17,441 WARN [org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy] - We're using CAS 6.2.1 on Tomcat 9.0.33 and Java 11. Any ideas and/or suggestions are greatly appreciated. Doug -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d2368420-c70b-4eea-b6fc-734154a5ea60n%40apereo.org.
[cas-user] Display single login form in multiple authenticator environment
In our CAS environment, some services need to authenticate users using LDAP (Active Directory) and others need to authenticate through delegation with Azure. Ideally, the we'd like to have the user be presented with only a single login form on the CAS login page. With the delegated authentication, this can be achieved with the use of allowedProviders list in the delegatedAuthenticationPolicy block of the service definition. For example: "accessStrategy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy", "delegatedAuthenticationPolicy" : { "@class" : "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy", // Allowed providers is a list of external identity provider names (i.e. client // names from cas.properties) "allowedProviders" : [ "java.util.ArrayList", [ "Student Login", "Employee Login"] ], "permitUndefined": true, "exclusive": true } } This works well for delegated services. However, I have not been able to find a similar method for services that are authenticated via LDAP, and the login page still shows the delegated login buttons beside the usual CAS login form. I have tried using requiredAuthenticationHandlers, but this doesn't have a noticeable effect (from https://apereo.github.io/cas/6.1.x/services/Configuring-Service-Required-AuthN.html and this blog https://apereo.github.io/2019/12/23/cas62x-authn-handler-resolution/): { /* * Custom applications requiring CAS authentication against LDAP (Active Directory) */ "@class" : "org.apereo.cas.services.RegexRegisteredService", "serviceId" : "^https://exampleserver.com/studentApp/.*";, "name" : "Student App", "id" : 2020082414, "evaluationOrder" : 5, "enabled" : true, "requiredHandlers" : [ "java.util.HashSet", [ "StudentActiveDirectory" ] ], "attributeReleasePolicy" : { "@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy", "allowedAttributes" : { "@class" : "java.util.TreeMap", "sn" : "sn", "cn" : "cn" } } } And of course, here are the appropriate snippets from our cas.properties: cas.authn.ldap[0].order:0 cas.authn.ldap[0].name: EmployeeActiveDirectory ... cas.authn.ldap[1].order:1 cas.authn.ldap[1].name: StudentActiveDirectory ... cas.authn.pac4j.saml[0].clientName: Employee Login ... cas.authn.pac4j.saml[1].clientName: Student Login This warning shows up in the cas.log: 2020-08-24 10:03:06,162 WARN [org.apereo.cas.services.AbstractRegisteredService] - And this, as well, though I'm not sure if it's related, I wouldn't expect to see it considering the use of requiredHandlers in the service definition: 2020-08-24 10:03:17,441 WARN [org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy] - We're using CAS 6.2.1 on Tomcat 9.0.33 and Java 11. Any ideas and/or suggestions are greatly appreciated. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9dd0b96b-eeb3-40bb-a2c3-0769d32a8f89n%40apereo.org.