Link external provider id to local account

[Jakub Koudelka]

Good morning, 

I have CAS as IdP connected to ldap and this works well. I also want people to be able to use facebook/google/... to login. I have already defined external identity providers and it works too. 

Problem is users first need to link those social logins to their account (users can't create acounts directly from google/...).

My expected flow is this:

- user logins to their portal app (via oidc on CAS)

- user can manage their linked accounts in this app - click for example 'add google account'

- user is directed to CAS with specified provider, which will take care of the google stuff

- user is redirected back to portal app with information about google specific identifier

-  portal app saves this identifier to user profile

I'm struggling with the part where user is redirected to cas for google login. 

I tried sending user to /cas/login with delegatedclientid=google-client, but this does not force google auth and immediately redirects to /cas/account showing user attributes. Adding renew=true shows login screen, but does not redirect directly to google auth. 

Is this the proper way to handle this use case (how can I make it work) or is there some other -preferred - option. 

Thank you

[Pascal Rigaux]

Hi,

Did you try something like /cas/clientredirect?client_name=Google ?

On this subject, we are doing something similar, with FranceConnect instead of Facebook/Google, and account linking is done in Apereo CAS interrupt.
Cf https://github.com/EsupPortail/claExternalID, esp. :
- https://raw.githubusercontent.com/EsupPortail/claExternalID/refs/heads/master/doc-diagram.svg
- https://github.com/EsupPortail/claExternalID/blob/master/etc/cas/config/interrupt.groovy
- https://github.com/EsupPortail/claExternalID/blob/master/etc/cas/services/claExternalID_Associate-55.json
The last file shows a service that forces non-delegated login for a pseudo service.

cu,
Pascal R.