Hi Nicolas,

In our organization, we need to let the user choose between the default 
login and SPNEGO upon a list of criteria and sometimes we need to go 
directly to the SPNEGO authentication upon other criteria. For this 
feature, I extended the SPNEGO module. I show a button with the label 
"LOGIN WITH MY WINDOWS ACCOUNT" when the IP address matches a regular 
expression. When the service matches a regular expression and the IP 
address also matches its regular expression, I force SPNEGO authentication 
without giving the user the chance to authenticate otherwise. If none of 
the previous conditions are present, then the user must authenticate 
normally with his user ID and password.
If you look the following webflow, you will find this logic inside.

<var name="credentials" class=
"org.jasig.cas.authentication.principal.UsernamePasswordCredentials" />

<on-start>

<evaluate expression="initialFlowSetupAction" />

       <set name="flowScope.displaySPNegoButton" value="false" />

</on-start>


<decision-state id="ticketGrantingTicketExistsCheck">

  <if test="flowScope.ticketGrantingTicketId neq null" then=
"hasServiceCheck" else="gatewayRequestCheck" />

</decision-state>


<decision-state id="gatewayRequestCheck">

      <if test="externalContext.requestParameterMap['gateway'] neq '' 
&amp;&amp; externalContext.requestParameterMap['gateway'] neq null 
&amp;&amp; flowScope.service neq null" then="gatewayServicesManagementCheck" 
else="startAuthenticateCheck" />

</decision-state>


<decision-state id="hasServiceCheck">

  <if test="flowScope.service != null" then="renewRequestCheck" else=
"viewGenericLoginSuccess" />

</decision-state>


<decision-state id="renewRequestCheck">

<if test="externalContext.requestParameterMap['renew'] neq '' &amp;&amp; 
externalContext.requestParameterMap['renew'] neq null" then=
"startAuthenticateCheck" else="generateServiceTicket" />

</decision-state>


<!-- 

   The "warn" action makes the determination of whether to redirect 
directly to the requested

     service or display the "confirmation" page to go back to the server.

-->

<decision-state id="warn">

      <if test="flowScope.warnCookieValue" then="showWarningView" else=
"redirect" />

</decision-state>


<!-- 

<action-state id="startAuthenticate">

     <action bean="x509Check" />

    <transition on="success" to="sendTicketGrantingTicket" />

      <transition on="warn" to="warn" />

     <transition on="error" to="generateLoginTicket" />

</action-state>

-->

<decision-state id="startAuthenticateCheck">

      <if test="externalContext.requestParameterMap['spnego'] neq '' 
&amp;&amp; externalContext.requestParameterMap['spnego'] neq null 
&amp;&amp; externalContext.requestParameterMap['spnego'] eq 'off'" then=
"generateLoginTicket" else="spnegoForceCheckAction" />

</decision-state>


<decision-state id="spnegoForceCheckAction">

   <if test="externalContext.requestParameterMap['forcespnego'] neq '' 
&amp;&amp; externalContext.requestParameterMap['forcespnego'] neq null 
&amp;&amp; externalContext.requestParameterMap['forcespnego'] eq 'true'" 
then="spnegoIPCheckAction2" else="spnegoAppCheckAction" />

</decision-state>


<action-state id="spnegoAppCheckAction">

       <evaluate expression="spNegoAppCheck" />

       <transition on="yes" to="spnegoIPCheckAction2" />

      <transition on="no" to="spnegoIPCheckAction" />

</action-state>


<action-state id="spnegoIPCheckAction">

<evaluate expression="spNegoIPCheck" />

<transition on="yes" to="generateLoginTicket" >

        <set name="flowScope.displaySPNegoButton" value="true" />           
      

      </transition>

  <transition on="no" to="generateLoginTicket" />

</action-state>


<action-state id="spnegoIPCheckAction2">

       <evaluate expression="spNegoIPCheck" />

<transition on="yes" to="startAuthenticate" />

 <transition on="no" to="generateLoginTicket" />

</action-state>


<action-state id="startAuthenticate">

  <evaluate expression="negociateSpnego" />

      <transition on="success" to="spnego" />

</action-state>


<action-state id="spnego">

     <evaluate expression="spnego" />

       <transition on="success" to="sendTicketGrantingTicket" />

      <transition on="error" to="generateLoginTicket" />

</action-state>


<action-state id="generateLoginTicket">

<evaluate expression=
"generateLoginTicketAction.generate(flowRequestContext)" />

       <transition on="success" to="viewLoginForm" />

</action-state>


Here are my new spnego.properties
# cas.authn.spnego.spnegoMode=direct: indicates to go directly to the 
SPNEGO by changing the succes transition of initialLoginForm action-state 
to startSpnegoAuthenticate
# cas.authn.spnego.spnegoMode=evaluateClient: indicates to evaluate the 
client based on the client action strategy defined in 
evaluateClientActionStrategy. 

#                                                     It changes the 
success transition of initialLoginForm action-state to evaluateClientRequest
cas.authn.spnego.spnegoMode=evaluateClient|direct
# The following property is deprecated
#cas.authn.spnego.hostNameClientActionStrategy=serviceNameSpnegoClientAction
# cas.authn.spnego.evaluateClientActionStrategy=hostnameSpnegoClientAction 
where CAS checks to see if the request?s remote hostname matches a 
predefine pattern
# cas.authn.spnego.evaluateClientActionStrategy=ldapSpnegoClientAction 
where CAS checks an LDAP instance for the remote hostname, 
#                                                                          
     to locate a pre-defined attribute whose mere existence would allow the 
webflow to resume to SPNEGO
# cas.authn.spnego.evaluateClientActionStrategy=serviceNameSpnegoClientAction 
where CAS checks if the service corresponds to a regularExpression
#                                        defined in 
serviceNamePatternString and the ip corresponds to ipsToCheckPattern 
implemented
#                                        in baseSpnegoClientAction
cas.authn.spnego.evaluateClientActionStrategy=serviceNameSpnegoClientAction
cas.authn.spnego.ipsToCheckPattern=((127\.0)|(122.110))(\.[0-9]{1,3}){2}
cas.authn.spnego.serviceNamePatternString=(app1\.domain\.ca)|(app2\.domain\.ca)


It works well for me. If you want it, I could send you the code.

Le jeudi 17 mai 2018 01:47:54 UTC-4, Nicholas Wylie a écrit :
>
> Hi CAS Community,
>
> I've successfully configured CAS 5.2 with LDAP/SPNEGO authentication 
> against our Active Directory.
>
> What we have noticed though is that non-domain joined computers see a 
> pop-up prompt for credentials when they visit the CAS login page. From my 
> reading, I believe we can fix this by configuring the LDAP Client Selection 
> Strategy for SPNEGO, but the documentation for which properties need to be 
> configured seems to be a bit scarce.
>
> Can someone offer any guidance (or a link to some documentation) as to 
> which properties I need to configure to use the LDAP Client Selection 
> Strategy?
>
> Thanks,
> Nicholas
>

-- 
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
--- 
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/deeb374f-38e0-4bb0-8b18-35cc3ee46a7c%40apereo.org.

Reply via email to