Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
HI there,
CAS 6.6.x, delegated authN to IdP, such as CAS delegating to external IdP, when user mapping is one-to-may.
For historical reasons, one person may have multiple usernames across apps protected by the same CAS instance, these usernames map to the same username on external IdP, thus one-to-many.
For instance, App A and B are protected by CAS, same person but two different usernames: jsmith on A, smithj on B. CAS provides authentication today. Tomorrow, CAS delegates authN to external IdP, this person already has username johnsmith on that external
IdP. During login, he enters johnsmith and credential, after authentication and response back to CAS as johnsmith, CAS needs to figure out whether username is jsmith or smithj. The ask is to present a UI and let the person select, as he would know best.
It feels like a bad idea (as we are letting user say who he is, but, this is a migration and user is already authenticated, and we fully trust that external IdP, it is the best user-experience for backward compatibility), I cannot explain why this maybe
an insecure practice. any thoughts?
thanks!
Yan
Yan