[cas-user] Authentication Provider Triggers - not just MFA - or per "organization" authentication.

Mon, 16 Dec 2019 08:47:46 -0800 

Folks,
I have an central application that will be used by multiple groups of users. These users are organized organizationally in LDAP as the primary system of record. However each organization will have a potentially different choice of which of my available authentication providers need to be presented/enforced for users in said "organization". 


So I'm looking for away to trigger, prior to actual authentication, a 
dynamic configuration decision as to what authentication provider a 
particular user needs to be presented with, but all accessing the same 
service URL



I'm expecting I'll need to intercept the authentication request at some 
point, do an LDAP lookup on the user ID and grab my determining 
attribute and then based upon the value of said attribute essentially 
dynamic assign this user with an auth. service. This authentication 
could be LDAP, Radius or even subsequent MFA. Kind of what the MFA 
triggers do but dynamically updating even what the original first 
authentication factor would be.



I haven't seen any native configurations for CAS that would let me do 
this, so just wondering where I could hook into the CAS sequences/flows 
to do such a thing.


or)


As and aside or potential alternative I'd imagined a way where I could 
provide a particular user set with a unique service URL, this could be 
used to provide resolution to what authentication source that 
"organization" should use, but then upon authenticating redirect them to 
the central application with SSO. I would need however to prevent users 
from accidentally (or nefariously ) going directly to the central 
application and potentially authenticating with an in-appropriate 
authentication source. Is there a way to maybe configure a Java Spring 
App that it can only accept proxy'ed authentications or something along 
those lines.


Hopefully I've made sense in explaining my requirements here.

Sincerely.

Colin




--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG

--- 
You received this message because you are subscribed to the Google Groups "CAS Community" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1d4c2335-5ecf-4624-6299-07d4296ef43b%40caveo.ca.






















					Reply via email to