Ask for authenticating at every login

[Alex T]

I create app, that use Apereo CAS server. And it works :)

But I want to do some changes. If I authenticated successfully in my app via CAS, than I log out in my app. Than I try to login via cas again, redirect occurs to cas, and redirect back with ticket, and seems that I loged in again without any question from sso.

I want to change CAS default behavior to ask if I want to login before redirect back to app. And show some information, like you logged in as <username>, this <service> want to authenticate and so on.

Which simplest way to do it?

It is possible to do with some configuration (settings or gradle)? Or I need develop custom overlay for it?

[Alex T]

PS. If user already authenticated in CAS, I dont want to force reentering password. I want ask user does he want to log in in app. If yes, user redirected to app with token, then he became authenticated.

[Ray Bon]

Alex,

There is this capability to manipulate the log in flow, https://apereo.github.io/cas/6.1.x/webflow/Webflow-Customization-Interrupt.html.

You can also modify the web flow, https://apereo.github.io/cas/6.1.x/webflow/Webflow-Customization.html

Ray

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

[Alex T]

Ray,

I try to use interrupts, with json configuration. Interrupt occurs, but at second login user must reenter credentials. I try to change some parameters in json, but not succesfully. And another problem in json configuration is that it configured for specific user only. It documented for testing/demo/develop only.

Is there examples how to use Regex interrupt configuration? I not understand what I need to write in attribute name and value expressions.

[Ray Bon]

Alex,

I have not used the interrupt system. I have modified the webflow to do some post authentication processing.

If a user is being asked for credentials a second time, it means that the service is configured to not participate in SSO or that the TGC (CAS session) has expired or that the service is asking to force authentication.

When your user logs out of the application, does the application send the logout to CAS? This will end the CAS session.

Speaking from the perspective of a user; why would a user, who clicked on an application's login button, want to be asked if they want to log in? This disrupts the point of single sign on.

Ray

[Andy Ng]

Hi Alex,

The concept of asking everything before logging to a system is sometime called consent.

So, from what I heard for your case, you want your user to consent every time user should be accessing different services.

Well, an exact implementation for that might not be natively available for CAS, but there is a similar case called the "Attribute Consent", I think it might work quite well in your case:

https://apereo.github.io/cas/6.0.x/integration/Attribute-Release-Consent.html

See if that would helps...

Cheers!

- Andy