Pac4j SAML Authentication Delegation Questions

62 views
Skip to first unread message

Rich Renomeron

unread,
Nov 8, 2016, 5:34:09 PM11/8/16
to cas-...@apereo.org
My current (3.x) overlay allows for delegation of authentication to a private federation of SAML 2 IdPs via a custom AuthenticationHandler that integrates with a Shibboleth SP sitting in front of CAS.  I'm trying to figure out whether I can replace this in my in-progress 5.x overlay with the pac4j support (yay! less custom code!).  I spent some time poking around in the docs and code, but I'm not sure of the answer to the following questions:
  1. Can the pac4j support handle multiple IdPs?  (I assume the metadata file in the configuration properties can handle multiple EntityDescriptor tags.)
  2. Assuming (1) is true, is the Login Provider UI smart enough to populate multiple provider buttons for the different IdPs?  (This would be really cool, as it would allow me to jettison more custom code.)
  3. This may be my ignorance of the new Spring way of wiring things (if so, tell me to RTFM), but is it possible to hook in a custom PrincipalResolver to the pac4j AuthenticationHandlers?  I have a specialized interface to a proprietary directory to map attributes in the SAML assertion to an entry in our directory.
If the answer to any of these is 'no', would it be possible to accomodate them with a patch to only CAS code (or custom extensions), or will (at least for (1) and (2)) it require changes to pac4j as well?

Thanks,
Rich

--
Rich Renomeron, Project Lead
TCG, Inc. - Positively Distinct - CMMI-DEV Level 3 - CMMI-SVC Level 2 - ISO 9001:2008
+1 (202) 643-8460 | richard....@tcg.com | www.tcg.com
 

Misagh Moayyed

unread,
Nov 8, 2016, 6:28:11 PM11/8/16
to cas-...@apereo.org

I'm not sure of the answer to the following questions:

1.      Can the pac4j support handle multiple IdPs?  (I assume the metadata file in the configuration properties can handle multiple EntityDescriptor tags.)

Yes.

2.      Assuming (1) is true, is the Login Provider UI smart enough to populate multiple provider buttons for the different IdPs?  (This would be really cool, as it would allow me to jettison more custom code.)

No.

3.      This may be my ignorance of the new Spring way of wiring things (if so, tell me to RTFM), but is it possible to hook in a custom PrincipalResolver to the pac4j AuthenticationHandlers?  I have a specialized interface to a proprietary directory to map attributes in the SAML assertion to an entry in our directory.

Yes, define bean with this id:
https://github.com/apereo/cas/blob/master/support/cas-server-support-pac4j/src/main/java/org/apereo/cas/support/pac4j/config/Pac4jConfiguration.java#L59

If the answer to any of these is 'no', would it be possible to accomodate them with a patch to only CAS code (or custom extensions), or will (at least for (1) and (2)) it require changes to pac4j as well?

 

Always, yes.

 

Reply all
Reply to author
Forward
0 new messages