Folks,
I have an central application that will be used by multiple groups of
users. These users are organized organizationally in LDAP as the primary
system of record. However each organization will have a potentially
different choice of which of my available authentication providers need
to be presented/enforced for users in said "organization".
So I'm looking for away to trigger, prior to actual authentication, a
dynamic configuration decision as to what authentication provider a
particular user needs to be presented with, but all accessing the same
service URL
I'm expecting I'll need to intercept the authentication request at some
point, do an LDAP lookup on the user ID and grab my determining
attribute and then based upon the value of said attribute essentially
dynamic assign this user with an auth. service. This authentication
could be LDAP, Radius or even subsequent MFA. Kind of what the MFA
triggers do but dynamically updating even what the original first
authentication factor would be.
I haven't seen any native configurations for CAS that would let me do
this, so just wondering where I could hook into the CAS sequences/flows
to do such a thing.
or)
As and aside or potential alternative I'd imagined a way where I could
provide a particular user set with a unique service URL, this could be
used to provide resolution to what authentication source that
"organization" should use, but then upon authenticating redirect them to
the central application with SSO. I would need however to prevent users
from accidentally (or nefariously ) going directly to the central
application and potentially authenticating with an in-appropriate
authentication source. Is there a way to maybe configure a Java Spring
App that it can only accept proxy'ed authentications or something along
those lines.
Hopefully I've made sense in explaining my requirements here.
Sincerely.
Colin
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1d4c2335-5ecf-4624-6299-07d4296ef43b%40caveo.ca.