Connect to AD and AZURE
73 views
Skip to first unread message
vallee.romain
Nov 20, 2019, 6:38:12 AM11/20/19
to CAS Community
Hello everybody .
I have two questions about how authentication works
my first question :
Do you think that CAS server can retrieve attributes from azure users ( like mail, upn .... )?
My second question :
My second question :
Is Cas server can mix to auth methode like AD and Azure ? exemple :
if my ad user exist, cas server return true
if my ad user doesn't exist, can my cas server can look if this user exist into AZURE ?
Best regards
Andy Ng
Nov 20, 2019, 10:49:23 PM11/20/19
to CAS Community
Hi,
When you are talking about Azure user, I think you mean to use the Delegated Azure login, https://apereo.github.io/cas/6.1.x/configuration/Configuration-Properties.html#azure-ad
Am I correct? If yes then continue, if no please elaborate.
=======================================================================================
> Do you think that CAS server can retrieve attributes from azure users ( like mail, upn .... )?
Yes I think so, it is documented here: https://apereo.github.io/cas/6.1.x/integration/Delegate-Authentication.html#profile-attributes
Please have a look, and see if it will help resolve your attribute (e.g. mail, upn)
================================================================================
> Is Cas server can mix to auth methode like AD and Azure
No, I don't think so, Here's a diagram illutrated why:
If you setup a normal AD in your organization, they will be using the flow 1.
If you setup a Delegated Authentication to Azure, they will be using the flow 2.
To simulate your situation:
1. User type in: username & password in flow 1.
2a . User login success, flow 1 complete.
2b. User login failed, flow 2 starts.
3. The issue is, you cannot pass either the user *username or password to flow 2 (i.e. Azure), because it is maintained by Microsoft
* some delegated authentication might allow you to pass username to them, I haven't look into Azure too much to know if they allow such thing to do. Nevertheless they would not be allowing you to inject your password into Azure, that is very much sure.
So that's why it is very unlikely that your request can be done. Even with custom code on CAS.
See if other have other method that can help you achieve your goal, thanks.
Cheers!
- Andy
vallee.romain
Nov 21, 2019, 11:10:35 AM11/21/19
to CAS Community
Hello Mister Andy .
thank you very much for taking the time to give me such a complete answer.
I now have a better understanding of how to integrate O365.
The little explanatory diagram is perfect!
This week, I understood how the connection to O365 worked, and why the rememberME can't remember when the IP address changes:
# case.tgc.pinToSession=true --> false
Thank you so much.
Andy Ng
Nov 21, 2019, 8:45:58 PM11/21/19
to CAS Community
No problem glad it helps! - Andy
Anmol Budhewar
Nov 25, 2019, 9:13:53 PM11/25/19
to cas-...@apereo.org
Then how we connect to AD. And. My question is- I don't know how to connect active directory to CAS Server. I am having windows server 2012 r2 , with I install AD, AD CS, AD LDS. Now I want to connect AD with CAS server. From powershell I know that users were added, I know the SAMaccount name, other credentials but ldap url might not work properly then how to connect AD with CAS server? Another question is that after successful installation of AD LDS and certificate generation my ssl connection with ldap not established. My ldaps link is not working. Can you help me with this?
On Fri, Nov 22, 2019, 07:16 Andy Ng <lon...@gmail.com> wrote:
No problem glad it helps! - Andy
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/16afcbe3-12ef-459f-95be-4ed1825702f9%40apereo.org.
Andy Ng
Nov 25, 2019, 9:28:27 PM11/25/19
to CAS Community
Hi Anmol,
Would really appreciate if you can open a new topic instead of replying to an unrelated topic, it would be easier for people to locate your specific question and give answer.
I don't have Active Directory setup in my testing environment, so it would be really hard for me to help with your problem, after you open a new post, maybe other can go in and give you some advice.
In the meantime, here's a tutorial I found from Apereo, which may or may not be helpful to you, you can have a look:
Just make sure to change the `userFilter` to `searchFilter` if you are using the CAS 6.
- Andy
Reply all
Reply to author
Forward
0 new messages