Hi Ray , Thankyou for your suggestion, Luckily I found below configuration in the doc https://apereo.github.io/cas/7.1.x/authentication/Configuring-Authentication-Policy-All.html
``` cas.authn.policy.all-handlers.enabled=false cas.authn.policy.all-handlers.name=CustomDelegatedClientAuthenticationHandler, *QueryDatabaseAuthenticationHandler* ``` with these I am able to control the handlers that CAS can use to authenticate. Now I have two webflow setups: one uses *`QueryDatabaseAuthenticationHandler` and the other uses `*CustomDelegatedClientAuthenticationHandler` with MFA enabled on both. The issue is after a user registers on Google Authenticator through webflow1 (*QueryDatabaseAuthenticationHandler+MFA), if the same user tries to log in through webflow2 (*CustomDelegatedClientAuthenticationHandler*+MFA) , he is asked to register again on google authenticator. What I want is this: * if a user registers on Google Authenticator through Webflow 1, and later tries to log in through Webflow 2, he should not be asked to register again on Google Authenticator.* My *suspicion* is that MFA is generating different secrets for **QueryDatabaseAuthenticationHandler ** and * CustomDelegatedClientAuthenticationHandler. is there a way I can configure MFA so that if the email is the same, it treats the user as the same across both setups? Thankyou for your help On Wednesday, November 13, 2024 at 7:49:50 AM UTC+5:30 Ray Bon wrote: > Tausif, > > Could you put the logic from your custom class in a post processor > > https://apereo.github.io/cas/7.1.x/authentication/Configuring-Authentication-PrePostProcessing.html#authentication-post-processing > > and limit users that way? > > Ray > > On Sun, 2024-11-10 at 21:23 -0800, Tausif Iqbal wrote: > > You don't often get email from [email protected]. Learn why this is > important <https://aka.ms/LearnAboutSenderIdentification> > Hi Ray Bon, > Thankyou for suggestion, > what I noticed that if the CustomDelegatedClientAuthenticationHandler > fails to authenticate a credential then CAS picks next handler that is > DelegatedAuthenticationHandler and authenticate the credential. > is there a way I can tell CAS not to pick DelegatedAuthenticationHandler > at all? > > Thankyou > > On Friday, November 8, 2024 at 8:23:20 AM UTC+5:30 Ray Bon wrote: > > Tausif, > > Check out springframework sortOrder. It should affect the order of bean > creation. (It goes in the Configurer.) > However if the default handlers list is actually a set ... > > Ray > > On Thu, 2024-11-07 at 10:32 -0800, Tausif Iqbal wrote: > > You don't often get email from [email protected] why this is > important <https://aka.ms/LearnAboutSenderIdentification> > > Hi Ray Bon, > Thank you for the link, > after spending some time I am able to write a > CustomDelegatedClientAuthenticationHandler and register it. > now the issue is when I start the cas overlay somtime it picks > DelegatedClientAuthenticationHandler and sometime > CustomDelegatedClientAuthenticationHandler depending upon the order in the > Default Handlers list > > *[ProxyAuthenticationHandler,DelegatedClientAuthenticationHandler,CustomDelegatedClientAuthenticationHandler,QueryDatabaseAuthenticationHandler,Static > > Credentials] or > **[ProxyAuthenticationHandler,CustomDelegatedClientAuthenticationHandler,DelegatedClientAuthenticationHandler,QueryDatabaseAuthenticationHandler,Static > > Credentials] is there way I can fix the order of handlers in the list? * > Thankyou > Tausif > > On Tuesday, November 5, 2024 at 12:11:31 AM UTC+5:30 Ray Bon wrote: > > Tausif, > > There are things you can do before and after authentication. see > https://apereo.github.io/cas/7.1.x/authentication/Configuring-Authentication-Components.html > > Ray > > On Sun, 2024-11-03 at 03:57 -0800, Tausif Iqbal wrote: > > You don't often get email from [email protected] why this is > important <https://aka.ms/LearnAboutSenderIdentification> > > Hi Ng Sek Long, > > I am also trying to do something similar, I already have database setup > for authentication, now I want to add google OAuth on top of it, so that > genuine user can directly login without typing credential, but now the > issue is anyone can login with google OAuth. > > Could you let me know what steps you followed to achieve this? > > Thanks in advance > > > On Wednesday, August 16, 2017 at 6:46:14 AM UTC+5:30 Ng Sek Long wrote: > > Thanks for your suggestion! I don't mind editing cas source code if my use > case is specific for me. Because of my use case, I think I will use the > less elegant approach for now until I get time to implement the better > approach. > > -Andy > > > On Wednesday, 16 August 2017 00:53:59 UTC+8, Misagh Moayyed wrote: > > So you're saying: allow Peter to authenticate via Facebook, then come back > to CAS, authenticate and verify credentials and then possibly reject Peter > because he's not allowed? > > You cannot do this without changing source code, but it's strange that you > present an option first only to possibly reject it later. It would be > better if you tied that policy to a service record in CAS where you could > then say: if you want to log into application X, you can use any of the > following authorized providers (because there is code that knows what to > authorize/prepare for each delegated scenario). Also requires code, but I > submit it's the more sensible approach. > > --Misagh > > ------------------------------ > *From: *"Ng Sek Long" <[email protected]> > *To: *"CAS Community" <[email protected]> > *Sent: *Monday, August 14, 2017 7:59:25 PM > *Subject: *[cas-user] Is it possible in my app to allow only authorized > user to use pac4j delegation to login > > Hi all, and first of all, thanks in advance. Here's my problem: > > [*CAS version*]: 5.2.0-RC1 (I need features from this version) > > [*Background*]: > My application used pac4j to allow user to login using for example Fb, > Google Linkedin and such. > > [*Problem*]: > However, only certain users that are authorized are allowed to login using > those pac4j method. However, now I use pac4j as login method everybody can > login. > > [*Question*]: > Is it possible to allow only authorized user to use pac4j authentication? > For example maybe I can use a database, which specified only Peter, Mary > and John can use Fb to login. Then other random people cannot use pac4j as > login method. > > [*Things I tried*]: > I tried to configure this bean: "clientAuthenticationHandler" in > "org.apereo.cas.support.pac4j.config.support.authentication", and I found > out that nothing I can do that can implement what I need. > > I would like to edit this: ClientAuthenticationHandler > -> doAuthentication, and add my customization, but it is not a bean. and I > don't really want to replace any source code. > > > > Any help would be appreciated! > > > > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2adfc66f-d854-4c3f-815d-c83c90fe273an%40apereo.org.
