Brent, Steps 3) and 4) are confusing. If IdP is performing authentication in 3), why is CAS also validating credentials?
Picking from a list (or typing it in) is frequently used as a method for IdP selection. User name would also work but may be a little confusing to users when they enter the same data twice (but maybe that is just my view on UX). Do you control the IdP(s)? The SP(s)? What is the role of CAS in 4)? If the IdP has already authenticated the user, that should indicate that the user is on the 'approved list'. Ray On Tue, 2019-05-21 at 10:36 -0700, Brent Smith wrote: Hey Ray, We want to delegate authentication from CAS to these client IdPs. We'll either use an IdP-initiated flow, or we'll build out an "SP-initiated flow" in CAS. Something like this, 1) User hits protected service and is redirected to CAS 2) "Magic IdP resolution" (TBD) forwards them to client's IdP. 3) IdP sends them back to CAS after successful authentication 4) CAS validates user credentials against the approved list of users for that IdP. Step 4) is the one i'm asking about here. We have a list of approved users for each client from our provisioning system. Step 2) might just be a "pick your IdP from a list", or we might attempt to customize the CAS login flow to accept username first (instead of username and password), then look up IdP based on username and redirect, if necessary. I'm curious of anyone has done anything like 2) as well. Thanks! On Tuesday, May 21, 2019 at 1:21:06 PM UTC-4, rbon wrote: Brent, Are you saying that the user authenticates first with CAS and is then redirected to a SAML IdP? Or how will you determine to which IdP a user will be sent? Ray On Tue, 2019-05-21 at 07:45 -0700, Brent Smith wrote: Hi, I'm trying to set up a new CAS implementation that delegates to multiple SAML IdPs, with each IdP representing a distinct slice of the user base (one IdP per customer). Is there a way for me to restrict one IdP from attempting to authenticate a user from another IdP? I thought about building a custom PersonDirectoryPrincipalResolver, overriding the resolve() method to ensure the Credential "matched" the appropriate AuthenticationHandler. Is there another way to do this that doesn't require custom code? Thanks, -B -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected]<javascript:> -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected] -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2638abb7ab529b8895c832f3db91ba0d43a5006f.camel%40uvic.ca.
