Global post authentication processing
61 views
Skip to first unread message
Filip Majernik
Oct 9, 2017, 6:47:16 AM10/9/17
to CAS Community
I am using CAS to authenticate users for a service, which contains user profiles. I need to map this user profiles to the users, i.e. I need a unique user identifier, which I get from the authentication. This is more or less provided by the CAS, however I also need to store the information where the user comes from (or which authentication provider did he use - internal one, external SAML, oAUTH, LDAP, etc...). Is there any configurable way how to do this? I think I could override the AbstractPreAndPostProcessingAuthenticationHandler.postAuthenticate() method and try to retrieve some information from the credentials.
Another problem which I face in this context is, that prior to the authentication I need a mapping of the user profiles to the users. This needs to be imported by the system administrator, however he needs to know the unique IDs which CAS will be returning for the users. From the documentation for the delegated authentication:
- An identifier which is the profile type +
#+ the identifier of the user for this provider (i.eFacebookProfile#0000000001)
Is there any ENUM or anything which identifies the providers inside the CAS? I need to have a list of profiles with at least these attributes:
- ID of the user (must be unique throughout the CAS)
- origin - unique identifier of the system or authentication handler, i.e. LDAP, SAML 2.0 for Google, SAML 2.0 for Facebook, etc....
Andy Ng
Oct 9, 2017, 9:40:05 PM10/9/17
to CAS Community
For orgin, if you don't mind to use 5.2.0-RCx:
Pac4j:
you can see this (https://apereo.github.io/cas/development/installation/Configuration-Properties.html#facebook)
You can see that there is a field called [clientName], which actually will let you define the name of your pac4j providers.
But even if you don't specified the clientName, the name of the pac4j provider is also given by default. Like "FacebookProfile" as you cited above.
SAML for Google or for other things:
You can see that (https://apereo.github.io/cas/development/installation/Configuration-Properties.html#saml-sps)
The name will be the origin of the samle
LDAP:
This :(https://apereo.github.io/cas/development/installation/Configuration-Properties.html#why-passivators)
#This should be what you need
# cas.authn.ldap[0].name=
About the ID and your other question, idk how to do it using traditional configuration. You can also opt for custom authentication handler like you said about, here some reading that might be useful (https://apereo.github.io/2017/02/02/cas51-authn-handlers/)
Hope this helps you,
- Andy
Pac4j:
you can see this (https://apereo.github.io/cas/development/installation/Configuration-Properties.html#facebook)
You can see that there is a field called [clientName], which actually will let you define the name of your pac4j providers.
But even if you don't specified the clientName, the name of the pac4j provider is also given by default. Like "FacebookProfile" as you cited above.
SAML for Google or for other things:
You can see that (https://apereo.github.io/cas/development/installation/Configuration-Properties.html#saml-sps)
The name will be the origin of the samle
LDAP:
This :(https://apereo.github.io/cas/development/installation/Configuration-Properties.html#why-passivators)
#This should be what you need
# cas.authn.ldap[0].name=
About the ID and your other question, idk how to do it using traditional configuration. You can also opt for custom authentication handler like you said about, here some reading that might be useful (https://apereo.github.io/2017/02/02/cas51-authn-handlers/)
Hope this helps you,
- Andy
Filip Majernik
Oct 10, 2017, 3:50:39 AM10/10/17
to CAS Community
This is exactly what I would need (assuming that the clientName parameter is then used for the typedId). However, I probably cannot use the RC version (policy reasons). Is there any workaround around this?
Andy Ng
Oct 11, 2017, 10:50:28 PM10/11/17
to CAS Community
Well, my project allows me to use RC version, so I know that
5.2.0-RCx have a lot of improvement, and one of them is allow customization of naming in a lot of places (like pac4j items, different authentication handler, and more), so I can't think of a good solution to implement those changes into 5.1.x.
Maybe you might tries copy the part of 5.2.0-RC and overlay them in the project?
-Andy
5.2.0-RCx have a lot of improvement, and one of them is allow customization of naming in a lot of places (like pac4j items, different authentication handler, and more), so I can't think of a good solution to implement those changes into 5.1.x.
Maybe you might tries copy the part of 5.2.0-RC and overlay them in the project?
-Andy
Reply all
Reply to author
Forward
0 new messages