Delegated Azure callbackUrl by service

[Pablo Vidaurri]

I have a situation where the same app is deployed on different domains, each for a different region... so something like mysite.uk, mysite.jp, etc. They all log into a central CAS and CAS delegates to AD. 

What I need is to define the callback url depending on the service.

• I see i can define cas.authn.pac4j.oidc[0].azure.callback-url=foobar but that will be used by all the domains.
• In loginProviders.html, it looks like I can update redirectUrl, but it is being ignored and continues to use ${cas.server.prefix}/login th:attr="autoRedirectType=${#strings.toLowerCase(entry.autoRedirectType)},redirectUrl=@{${entry.redirectUrl}}"
• Looks like not support out of the box with a service config (filter for OIDC) https://apereo.github.io/cas/6.6.x/services/Configuring-Service-Custom-Properties.html#supported-properties

Short of overriding a class and introducing new properties, any other ideas?

-psv

[Ray Bon]

Pablo,

This may give some ideas https://fawnoos.com/2017/10/23/cas-multitenancy/

Ray

On Fri, 2024-02-02 at 21:10 -0800, Pablo Vidaurri wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

[Pablo Vidaurri]

Thanks for the pointer.

I went the KISS route ...

I added duplicate configs in my cas.properties file, one for each region/language defining required auto-redirect-type for each that differs from the original:

custom.azure.redirect-url.uk=https://www.myapp.uk
custom.azure.redirect-url.cn=https://www.myapp.cn

cas.authn.pac4j.oidc[0].azure.id=<my_client_id>
cas.authn.pac4j.oidc[0].azure.secret=<my_super_cEeKrEt)
cas.authn.pac4j.oidc[0].azure.tenant=<my_tenent>
cas.authn.pac4j.oidc[0].azure.auto-redirect-type=NONE

cas.authn.pac4j.oidc[1].azure.id=${cas.authn.pac4j.oidc[0].azure.id}
cas.authn.pac4j.oidc[1].azure.secret=${cas.authn.pac4j.oidc[0].azure.secret}
cas.authn.pac4j.oidc[1].azure.tenant=${cas.authn.pac4j.oidc[0].azure.tenant}
cas.authn.pac4j.oidc[1].azure.callback-url=${custom.azure.redirect-url.uk}/cas/login
cas.authn.pac4j.oidc[1].azure.auto-redirect-type=${cas.authn.pac4j.oidc[0].azure.auto-redirect-type}

cas.authn.pac4j.oidc[2].azure.id=${cas.authn.pac4j.oidc[0].azure.id}
cas.authn.pac4j.oidc[2].azure.secret=${cas.authn.pac4j.oidc[0].azure.secret}
cas.authn.pac4j.oidc[2].azure.tenant=${cas.authn.pac4j.oidc[0].azure.tenant}
cas.authn.pac4j.oidc[2].azure.callback-url=${custom.azure.redirect-url.cn}/cas/login
cas.authn.pac4j.oidc[2].azure.auto-redirect-type=${cas.authn.pac4j.oidc[0].azure.auto-redirect-type}

Then updated my login form to only display appropriate delegated button/link for the given region/language.

[Pablo Vidaurri]

Sorry, correction, should be:   defining required callback-url for each that differs from the original

custom.azure.redirect-url.uk=https://www.myapp.uk
custom.azure.redirect-url.cn=https://www.myapp.cn

cas.authn.pac4j.oidc[0].azure.id=<my_client_id>
cas.authn.pac4j.oidc[0].azure.secret=<my_super_cEeKrEt)
cas.authn.pac4j.oidc[0].azure.tenant=<my_tenent>
cas.authn.pac4j.oidc[0].azure.auto-redirect-type=NONE

cas.authn.pac4j.oidc[1].azure.id=${cas.authn.pac4j.oidc[0].azure.id}
cas.authn.pac4j.oidc[1].azure.secret=${cas.authn.pac4j.oidc[0].azure.secret}
cas.authn.pac4j.oidc[1].azure.tenant=${cas.authn.pac4j.oidc[0].azure.tenant}
cas.authn.pac4j.oidc[1].azure.callback-url=${custom.azure.redirect-url.uk}/cas/login
cas.authn.pac4j.oidc[1].azure.auto-redirect-type=${cas.authn.pac4j.oidc[0].azure.auto-redirect-type}

cas.authn.pac4j.oidc[2].azure.id=${cas.authn.pac4j.oidc[0].azure.id}
cas.authn.pac4j.oidc[2].azure.secret=${cas.authn.pac4j.oidc[0].azure.secret}
cas.authn.pac4j.oidc[2].azure.tenant=${cas.authn.pac4j.oidc[0].azure.tenant}
cas.authn.pac4j.oidc[2].azure.callback-url=${custom.azure.redirect-url.cn}/cas/login
cas.authn.pac4j.oidc[2].azure.auto-redirect-type=${cas.authn.pac4j.oidc[0].azure.auto-redirect-type}