First, I'm new to CAS and am still working my way around it, Spring, and
Maven. Have mercy on the newbie. My environment is a Linux server running
Apache Tomcat 8 with JDK 1.8. I've successfully configured LDAP
authentication based on the cas/login page - I can enter an e-mail address
and password for an LDAP user and get a successful login.
I'm still working on "CASifying" my apps, or at least finding the ones that
support SAML, OAUTH, and OpenID and beginning to integrate those into CAS.
Very early on in those stages.
However, one thing I'd like to do is configure x509 client certificate
("PKI") authentication to CAS along with LDAP. We issue certificates with
a local CA, and the certificate subject name matches the user's LDAP DN.
So, what I'd like to do with the login flow with CAS is something like
this:
- User/Application directs to CAS login page.
- CAS looks for/prompts for x509 certificate from user/browser.
- If user provides a certificate, CAS verifies it is issued by local CA,
looks for the certificate subject name in LDAP, compares provided cert to
the LDAP userCertificate field, and examines CRL distribution point to make
sure certificate is valid.
- If certificate matches, is valid, etc., login succeeds, and the LDAP mail
attribute is used as the login name/principal name for the login, and
control is returned to app that requested login.
- If certificate is not provided, does not match, etc., user is directed to
login page.
- User can enter e-mail address and LDAP password at login page.
- If LDAP authentication succeeds, user is logged in and control is
returned to the requesting app.
- Else login fails.
So, first, I'd like to know if a configuration like this is possible? I
suspect that it is, based on how flexible and powerful the CAS server is,
but don't want to make that assumption and start working on it only to find
out it doesn't work. If it is possible, can anyone provide any hints,
example configurations, etc., that would get me headed in the right
direction?
Thanks,
Nick
--
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/10d0319a-5206-4739-85de-52859f5f5ded%40apereo.org.
For more options, visit https://groups.google.com/a/apereo.org/d/optout.
