CAS 6.3.5 Combination of Delegate and LDAP Authentication
172 views
Skip to first unread message
Thomas Welspacher
Aug 3, 2021, 4:46:12 AM8/3/21
to CAS Community
Hello,
I'm trying to get a CAS setup to run with 2 service definitions, one that is supposed to cause a delegate authentication ("delegate"), the other one that is supposed to trigger an LDAP authentication handler ("fallback").
For example, if the URL matches https://test.com/delegate, an external OIDC provider should be activated, if not an LDAP authentication.
The problem is that an attempt is made to trigger a delegate authentication for the second service definition as well, although none should be done here.
Service 1 definition:
{
The problem is that an attempt is made to trigger a delegate authentication for the second service definition as well, although none should be done here.
Service 1 definition:
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^https://test.com/delegate$",
"name" : "delegate",
"id" : 1,
"evaluationOrder" : 1,
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"delegatedAuthenticationPolicy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
"allowedProviders" : [ "java.util.ArrayList", [ "OidcGenericClientName" ] ],
"permitUndefined": true,
"exclusive": true
}
}
}
Service 2 definition:
Service 2 definition:
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^https?://.*$",
"name" : "fallback",
"id" : 2,
"evaluationOrder" : 2,
"authenticationPolicy": {
"@class": "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy",
"requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "LdapAuthenticationHandler" ]]
}
}
CAS Properties:
LDAP is configured under the configurationKey "cas.authn.ldap[0].xxx", OIDC under cas.authn.pac4j.oidc[0].generic.xxx. Both methods work independently of each other, but not in combination.
CAS Properties:
LDAP is configured under the configurationKey "cas.authn.ldap[0].xxx", OIDC under cas.authn.pac4j.oidc[0].generic.xxx. Both methods work independently of each other, but not in combination.
cas.authn.ldap[0].name=LdapAuthenticationHandler
cas.authn.ldap[0].type=...
...
cas.authn.pac4j.name=Pac4jDelegatedAuthenticationHandler
cas.authn.pac4j.oidc[0].generic.name=OidcGenericName
cas.authn.pac4j.oidc[0].generic.client-name=OidcGenericClientName
cas.authn.pac4j.oidc[0].generic.id=...
cas.authn.pac4j.oidc[0].generic.secret=...
...
What was noticeable in the log:
cas.authn.ldap[0].type=...
...
cas.authn.pac4j.name=Pac4jDelegatedAuthenticationHandler
cas.authn.pac4j.oidc[0].generic.name=OidcGenericName
cas.authn.pac4j.oidc[0].generic.client-name=OidcGenericClientName
cas.authn.pac4j.oidc[0].generic.id=...
cas.authn.pac4j.oidc[0].generic.secret=...
...
What was noticeable in the log:
2021-08-03 09:50:55,270 INFO [org.apereo.cas.config.LdapAuthenticationConfiguration] - <Registering LDAP authentication for [LdapAuthenticationHandler]>
2021-08-03 09:50:55,863 INFO [org.apereo.cas.config.Pac4jAuthenticationEventExecutionPlanConfiguration] - <Located and prepared [1] delegated authentication client(s)>
2021-08-03 10:06:17,667 WARN [org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy] - <Registered service [fallback] does not define any authorized/supported delegated authentication providers. It is STRONGLY recommended that you authorize and assign providers to the service definition. While just a warning for now, this behavior will be enforced by CAS in future versions.>(Service 2 is not supposed to trigger delegate authentication, why is a policy or provider required here?)
Could it be that I am overlooking something obvious or can such a combination work? Thanks in advance!
Reply all
Reply to author
Forward
0 new messages