In our CAS environment, some services need to authenticate users using LDAP
(Active Directory) and others need to authenticate through delegation with
Azure.
Ideally, the we'd like to have the user be presented with only a single
login form on the CAS login page. With the delegated authentication, this
can be achieved with the use of allowedProviders list in the
delegatedAuthenticationPolicy block of the service definition.
For example:
"accessStrategy" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"delegatedAuthenticationPolicy" : {
"@class" :
"org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
// Allowed providers is a list of external identity provider names
(i.e. client
// names from cas.properties)
"allowedProviders" : [ "java.util.ArrayList", [ "Student Login",
"Employee Login"] ],
"permitUndefined": true,
"exclusive": true
}
}
This works well for delegated services. However, I have not been able to
find a similar method for services that are authenticated via LDAP, and the
login page still shows the delegated login buttons beside the usual CAS
login form. I have tried using requiredAuthenticationHandlers, but this
doesn't have a noticeable effect (from
https://apereo.github.io/cas/6.1.x/services/Configuring-Service-Required-AuthN.html
and this blog
https://apereo.github.io/2019/12/23/cas62x-authn-handler-resolution/):
{
/*
* Custom applications requiring CAS authentication against LDAP (Active
Directory)
*/
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^https://exampleserver.com/studentApp/.*";,
"name" : "Student App",
"id" : 2020082414,
"evaluationOrder" : 5,
"enabled" : true,
"requiredHandlers" : [ "java.util.HashSet", [ "StudentActiveDirectory" ]
],
"attributeReleasePolicy" : {
"@class" : "org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"sn" : "sn",
"cn" : "cn"
}
}
}
And of course, here are the appropriate snippets from our cas.properties:
cas.authn.ldap[0].order: 0
cas.authn.ldap[0].name: EmployeeActiveDirectory
...
cas.authn.ldap[1].order: 1
cas.authn.ldap[1].name: StudentActiveDirectory
...
cas.authn.pac4j.saml[0].clientName: Employee Login
...
cas.authn.pac4j.saml[1].clientName: Student Login
This warning shows up in the cas.log:
2020-08-24 10:03:06,162 WARN
[org.apereo.cas.services.AbstractRegisteredService] - <Assigning a
collection of required authentication handlers to a registered service is
deprecated. This field is scheduled to be removed in the future. If you
need to, consider defining an authentication policy for the registered
service instead to specify required authentication handlers
[[StudentActiveDirectory]]>
And this, as well, though I'm not sure if it's related, I wouldn't expect
to see it considering the use of requiredHandlers in the service definition:
2020-08-24 10:03:17,441 WARN
[org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy]
- <Registered service [Student App] does not define any
authorized/supported delegated authentication providers. It is STRONGLY
recommended that you authorize and assign providers to the service
definition. While just a warning for now, this behavior will be enforced by
CAS in future versions.>
We're using CAS 6.2.1 on Tomcat 9.0.33 and Java 11.
Any ideas and/or suggestions are greatly appreciated.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/9dd0b96b-eeb3-40bb-a2c3-0769d32a8f89n%40apereo.org.
