Everything you described is possible, almost word for word :)
See https://apereo.github.io/cas/4.2.x/installation/X509-Authentication.html From: [email protected] [mailto:[email protected]] On Behalf Of Nick Couchman Sent: Wednesday, June 8, 2016 11:54 AM To: CAS Community <[email protected]> Subject: [cas-user] Assistance with x509 + LDAP First, I'm new to CAS and am still working my way around it, Spring, and Maven. Have mercy on the newbie. My environment is a Linux server running Apache Tomcat 8 with JDK 1.8. I've successfully configured LDAP authentication based on the cas/login page - I can enter an e-mail address and password for an LDAP user and get a successful login. I'm still working on "CASifying" my apps, or at least finding the ones that support SAML, OAUTH, and OpenID and beginning to integrate those into CAS. Very early on in those stages. However, one thing I'd like to do is configure x509 client certificate ("PKI") authentication to CAS along with LDAP. We issue certificates with a local CA, and the certificate subject name matches the user's LDAP DN. So, what I'd like to do with the login flow with CAS is something like this: - User/Application directs to CAS login page. - CAS looks for/prompts for x509 certificate from user/browser. - If user provides a certificate, CAS verifies it is issued by local CA, looks for the certificate subject name in LDAP, compares provided cert to the LDAP userCertificate field, and examines CRL distribution point to make sure certificate is valid. - If certificate matches, is valid, etc., login succeeds, and the LDAP mail attribute is used as the login name/principal name for the login, and control is returned to app that requested login. - If certificate is not provided, does not match, etc., user is directed to login page. - User can enter e-mail address and LDAP password at login page. - If LDAP authentication succeeds, user is logged in and control is returned to the requesting app. - Else login fails. So, first, I'd like to know if a configuration like this is possible? I suspect that it is, based on how flexible and powerful the CAS server is, but don't want to make that assumption and start working on it only to find out it doesn't work. If it is possible, can anyone provide any hints, example configurations, etc., that would get me headed in the right direction? Thanks, Nick -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] <mailto:[email protected]> . To post to this group, send email to [email protected] <mailto:[email protected]> . Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/10d0319a-5206-4739-85de-52859f5f5ded%40apereo.org <https://groups.google.com/a/apereo.org/d/msgid/cas-user/10d0319a-5206-4739-85de-52859f5f5ded%40apereo.org?utm_medium=email&utm_source=footer> . For more options, visit https://groups.google.com/a/apereo.org/d/optout. -- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/a/apereo.org/group/cas-user/. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/012d01d1c1ba%24ae2a9880%240a7fc980%24%40unicon.net. For more options, visit https://groups.google.com/a/apereo.org/d/optout.
