CAS 7.1.4 Limit Delegation/Proxy user from using basic Auth LDAP
231 views
Skip to first unread message
gautham jampala
Apr 9, 2025, 12:06:29 PM4/9/25
to cas-...@apereo.org
Hello,
I have 2 primary modes of authentication, one being an inhouse LDAP where username and passwords are stored for internal users and another Microsoft Entra(There could be multiple, basically each company having one) for some external users. I have both flows running properly. I want to stop external users from logging in via LDAP. Ideally if an external user enters their email and password, I want CAS to redirect them to the appropriate Entra url based on their domain name.
I did setup a:
cas.authn.policy.groovy[0].script=file:/authRouting.groovy
where I return an exception if the user is external, but this script is called after LDAP authentication is successful and only returns an abstract message that the user is not authenticated.
Are there any other properties that I could use to redirect user based on their domain name to different authentication action
Thank you,
Gautham
Ray Bon
Apr 15, 2025, 11:08:45 PM4/15/25
to cas-...@apereo.org
Gautham,
Cas processes the authentication methods in the order they are listed in the config. If local ldap is last, all others will have to fail before it is tried.
You can also assign an order to each method.
Or user authentication resolution strategy rather than authentication policy.
Ray
From: cas-...@apereo.org <cas-...@apereo.org> on behalf of gautham jampala <gauta...@gmail.com>
Sent: April 9, 2025 09:02
To: cas-...@apereo.org <cas-...@apereo.org>
Subject: [cas-user] CAS 7.1.4 Limit Delegation/Proxy user from using basic Auth LDAP
Sent: April 9, 2025 09:02
To: cas-...@apereo.org <cas-...@apereo.org>
Subject: [cas-user] CAS 7.1.4 Limit Delegation/Proxy user from using basic Auth LDAP
|
You don't often get email from gauta...@gmail.com.
Learn why this is important
|
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABhcCS1FdWAtQBAsFVpvvGOCi%3DrPY48f9JLaKrpZb1d5Y%3DW06A%40mail.gmail.com.
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABhcCS1FdWAtQBAsFVpvvGOCi%3DrPY48f9JLaKrpZb1d5Y%3DW06A%40mail.gmail.com.
gautham jampala
Apr 16, 2025, 2:37:08 PM4/16/25
to CAS Community, Ray Bon
Thank you Ray for your reply.
I was able to configure authentication resolution strategy to stop login attempt of external users via LDAP but there is not method for me to redirect user to appropriate IDP based on domain name with this.
Regards,
Gautham
Reply all
Reply to author
Forward
0 new messages