Authentication Provider Triggers - not just MFA - or per "organization" authentication.
49 views
Skip to first unread message
Colin Ryan
Dec 16, 2019, 11:47:39 AM12/16/19
to CAS Community
Folks,
I have an central application that will be used by multiple groups of
users. These users are organized organizationally in LDAP as the primary
system of record. However each organization will have a potentially
different choice of which of my available authentication providers need
to be presented/enforced for users in said "organization".
So I'm looking for away to trigger, prior to actual authentication, a
dynamic configuration decision as to what authentication provider a
particular user needs to be presented with, but all accessing the same
service URL
I'm expecting I'll need to intercept the authentication request at some
point, do an LDAP lookup on the user ID and grab my determining
attribute and then based upon the value of said attribute essentially
dynamic assign this user with an auth. service. This authentication
could be LDAP, Radius or even subsequent MFA. Kind of what the MFA
triggers do but dynamically updating even what the original first
authentication factor would be.
I haven't seen any native configurations for CAS that would let me do
this, so just wondering where I could hook into the CAS sequences/flows
to do such a thing.
or)
As and aside or potential alternative I'd imagined a way where I could
provide a particular user set with a unique service URL, this could be
used to provide resolution to what authentication source that
"organization" should use, but then upon authenticating redirect them to
the central application with SSO. I would need however to prevent users
from accidentally (or nefariously ) going directly to the central
application and potentially authenticating with an in-appropriate
authentication source. Is there a way to maybe configure a Java Spring
App that it can only accept proxy'ed authentications or something along
those lines.
Hopefully I've made sense in explaining my requirements here.
Sincerely.
Colin
I have an central application that will be used by multiple groups of
users. These users are organized organizationally in LDAP as the primary
system of record. However each organization will have a potentially
different choice of which of my available authentication providers need
to be presented/enforced for users in said "organization".
So I'm looking for away to trigger, prior to actual authentication, a
dynamic configuration decision as to what authentication provider a
particular user needs to be presented with, but all accessing the same
service URL
I'm expecting I'll need to intercept the authentication request at some
point, do an LDAP lookup on the user ID and grab my determining
attribute and then based upon the value of said attribute essentially
dynamic assign this user with an auth. service. This authentication
could be LDAP, Radius or even subsequent MFA. Kind of what the MFA
triggers do but dynamically updating even what the original first
authentication factor would be.
I haven't seen any native configurations for CAS that would let me do
this, so just wondering where I could hook into the CAS sequences/flows
to do such a thing.
or)
As and aside or potential alternative I'd imagined a way where I could
provide a particular user set with a unique service URL, this could be
used to provide resolution to what authentication source that
"organization" should use, but then upon authenticating redirect them to
the central application with SSO. I would need however to prevent users
from accidentally (or nefariously ) going directly to the central
application and potentially authenticating with an in-appropriate
authentication source. Is there a way to maybe configure a Java Spring
App that it can only accept proxy'ed authentications or something along
those lines.
Hopefully I've made sense in explaining my requirements here.
Sincerely.
Colin
Ray Bon
Dec 16, 2019, 12:40:17 PM12/16/19
to cas-...@apereo.org
Colin,
In federated access, the user is often presented with a discovery lookup where they select or type their chosen identity provider. It is possible to modify the CAS web flow,
https://apereo.github.io/cas/6.1.x/webflow/Webflow-Customization.html, and insert such a page.
See, https://samltest.id/start-idp-test/, for an example (EntityID == organization).
For subsequent events like MFA, you can trigger those with user attribute(s) set in the service definition.
Ray
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | rb...@uvic.ca
I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.
Ray Bon
Dec 16, 2019, 4:00:29 PM12/16/19
to cas-...@apereo.org
Colin,
I was thinking the user would enter their home organization rather than the auth provider.
CAS should step through different authentication mechanisms in the order they are listed [in config] until it finds a match or exhausts all mechanisms. We use multiple LDAP entries that differ only in the tree searched. I have not tried other mechanisms
like Radius, but it may still apply.
If the above does not work, yes you could insert some Java LDAP calls.
Ray
On Mon, 2019-12-16 at 13:22 -0500, Colin Ryan wrote:
Ray,
Thanks for the response. Issue I see with this is I don't want to have to rely on user input to start this all off. I need to avoid is having a user to find a way to successfully validate via say AuthProvider A (i.e. LDAP), when I in fact needed them to Authenticate via Provider B (i.e. Radius). Unless I missing something, depending on the user to provide the input required for such a decision is not desirable.
Unless your simply pointing me into a direction where I could insert some Java LDAP calls as I receive the incoming UserID, and then dynamically adjust the Authentication Provider to user for the actual Auth.
Cheers
Sorry to be so unclear. It's all so obvious with different URL/Services, but I'm basically trying to manage a centralized administrative tool overlaying what is essentially a multi-tentant'ed User Database, and CAS's contexts are so service focused.
Colin
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/fb49de81df567a592a9d2857b0fdbcf255533fe5.camel%40uvic.ca.
Reply all
Reply to author
Forward
0 new messages