Colin, In federated access, the user is often presented with a discovery lookup where they select or type their chosen identity provider. It is possible to modify the CAS web flow, https://apereo.github.io/cas/6.1.x/webflow/Webflow-Customization.html, and insert such a page. See, https://samltest.id/start-idp-test/, for an example (EntityID == organization).
For subsequent events like MFA, you can trigger those with user attribute(s) set in the service definition. Ray On Mon, 2019-12-16 at 11:47 -0500, Colin Ryan wrote: Folks, I have an central application that will be used by multiple groups of users. These users are organized organizationally in LDAP as the primary system of record. However each organization will have a potentially different choice of which of my available authentication providers need to be presented/enforced for users in said "organization". So I'm looking for away to trigger, prior to actual authentication, a dynamic configuration decision as to what authentication provider a particular user needs to be presented with, but all accessing the same service URL I'm expecting I'll need to intercept the authentication request at some point, do an LDAP lookup on the user ID and grab my determining attribute and then based upon the value of said attribute essentially dynamic assign this user with an auth. service. This authentication could be LDAP, Radius or even subsequent MFA. Kind of what the MFA triggers do but dynamically updating even what the original first authentication factor would be. I haven't seen any native configurations for CAS that would let me do this, so just wondering where I could hook into the CAS sequences/flows to do such a thing. or) As and aside or potential alternative I'd imagined a way where I could provide a particular user set with a unique service URL, this could be used to provide resolution to what authentication source that "organization" should use, but then upon authenticating redirect them to the central application with SSO. I would need however to prevent users from accidentally (or nefariously ) going directly to the central application and potentially authenticating with an in-appropriate authentication source. Is there a way to maybe configure a Java Spring App that it can only accept proxy'ed authentications or something along those lines. Hopefully I've made sense in explaining my requirements here. Sincerely. Colin -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected]<mailto:[email protected]> I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/fb49de81df567a592a9d2857b0fdbcf255533fe5.camel%40uvic.ca.
