Re: [cas-user] One-to-many User mapping question in Delegated AuthN

[Ray Bon]

Yan,

I see two problems with letting user select the correct username:

1. user needs to know which username belongs to which application (sounds like a help desk nightmare)

2. a username may match a real user, e.g., jsmith might exist in both applications, allowing johnsmith to log in as both jsmith(for janesmith) or smithj (for johnsmith)

It is possible to use a groovy script or java class to resolve the user, https://apereo.github.io/cas/7.0.x/installation/Configuring-Principal-Resolution.html

Ray

On Mon, 2024-05-13 at 07:54 -0700, Yan Zhou wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

HI there,

CAS 6.6.x, delegated authN to IdP, such as CAS delegating to external IdP, when user mapping is one-to-may.

For historical reasons, one person may have multiple usernames across apps protected by the same CAS instance, these usernames map to the same username on external IdP, thus one-to-many.  

For instance, App A and B are protected by CAS,  same person but two different usernames: jsmith on A,  smithj on B. CAS provides authentication today. Tomorrow, CAS delegates authN to external IdP,  this person already has username johnsmith on that external IdP.  During login, he enters johnsmith and credential, after authentication and response back to CAS as johnsmith, CAS needs to figure out whether username is jsmith or smithj. The ask is to present a UI and let the person select, as he would know best.

It feels like a bad idea (as we are letting user say who he is, but, this is a migration and user is already authenticated, and we fully trust that external IdP, it is the best user-experience for backward compatibility), I cannot explain why this maybe an insecure practice. any thoughts?

thanks!

Yan

Yan

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/21da7fa453d2dd54b3bfd73ec70be143ae06adb9.camel%40uvic.ca.