Hi Nicolas,
In our organization, we need to let the user choose between the default
login and SPNEGO upon a list of criteria and sometimes we need to go
directly to the SPNEGO authentication upon other criteria. For this
feature, I extended the SPNEGO module. I show a button with the label
"LOGIN WITH MY WINDOWS ACCOUNT" when the IP address matches a regular
expression. When the service matches a regular expression and the IP
address also matches its regular expression, I force SPNEGO authentication
without giving the user the chance to authenticate otherwise. If none of
the previous conditions are present, then the user must authenticate
normally with his user ID and password.
If you look the following webflow, you will find this logic inside.
<var name="credentials" class=
"org.jasig.cas.authentication.principal.UsernamePasswordCredentials" />
<on-start>
<evaluate expression="initialFlowSetupAction" />
<set name="flowScope.displaySPNegoButton" value="false" />
</on-start>
<decision-state id="ticketGrantingTicketExistsCheck">
<if test="flowScope.ticketGrantingTicketId neq null" then=
"hasServiceCheck" else="gatewayRequestCheck" />
</decision-state>
<decision-state id="gatewayRequestCheck">
<if test="externalContext.requestParameterMap['gateway'] neq ''
&& externalContext.requestParameterMap['gateway'] neq null
&& flowScope.service neq null" then="gatewayServicesManagementCheck"
else="startAuthenticateCheck" />
</decision-state>
<decision-state id="hasServiceCheck">
<if test="flowScope.service != null" then="renewRequestCheck" else=
"viewGenericLoginSuccess" />
</decision-state>
<decision-state id="renewRequestCheck">
<if test="externalContext.requestParameterMap['renew'] neq '' &&
externalContext.requestParameterMap['renew'] neq null" then=
"startAuthenticateCheck" else="generateServiceTicket" />
</decision-state>
<!--
The "warn" action makes the determination of whether to redirect
directly to the requested
service or display the "confirmation" page to go back to the server.
-->
<decision-state id="warn">
<if test="flowScope.warnCookieValue" then="showWarningView" else=
"redirect" />
</decision-state>
<!--
<action-state id="startAuthenticate">
<action bean="x509Check" />
<transition on="success" to="sendTicketGrantingTicket" />
<transition on="warn" to="warn" />
<transition on="error" to="generateLoginTicket" />
</action-state>
-->
<decision-state id="startAuthenticateCheck">
<if test="externalContext.requestParameterMap['spnego'] neq ''
&& externalContext.requestParameterMap['spnego'] neq null
&& externalContext.requestParameterMap['spnego'] eq 'off'" then=
"generateLoginTicket" else="spnegoForceCheckAction" />
</decision-state>
<decision-state id="spnegoForceCheckAction">
<if test="externalContext.requestParameterMap['forcespnego'] neq ''
&& externalContext.requestParameterMap['forcespnego'] neq null
&& externalContext.requestParameterMap['forcespnego'] eq 'true'"
then="spnegoIPCheckAction2" else="spnegoAppCheckAction" />
</decision-state>
<action-state id="spnegoAppCheckAction">
<evaluate expression="spNegoAppCheck" />
<transition on="yes" to="spnegoIPCheckAction2" />
<transition on="no" to="spnegoIPCheckAction" />
</action-state>
<action-state id="spnegoIPCheckAction">
<evaluate expression="spNegoIPCheck" />
<transition on="yes" to="generateLoginTicket" >
<set name="flowScope.displaySPNegoButton" value="true" />
</transition>
<transition on="no" to="generateLoginTicket" />
</action-state>
<action-state id="spnegoIPCheckAction2">
<evaluate expression="spNegoIPCheck" />
<transition on="yes" to="startAuthenticate" />
<transition on="no" to="generateLoginTicket" />
</action-state>
<action-state id="startAuthenticate">
<evaluate expression="negociateSpnego" />
<transition on="success" to="spnego" />
</action-state>
<action-state id="spnego">
<evaluate expression="spnego" />
<transition on="success" to="sendTicketGrantingTicket" />
<transition on="error" to="generateLoginTicket" />
</action-state>
<action-state id="generateLoginTicket">
<evaluate expression=
"generateLoginTicketAction.generate(flowRequestContext)" />
<transition on="success" to="viewLoginForm" />
</action-state>
Here are my new spnego.properties
# cas.authn.spnego.spnegoMode=direct: indicates to go directly to the
SPNEGO by changing the succes transition of initialLoginForm action-state
to startSpnegoAuthenticate
# cas.authn.spnego.spnegoMode=evaluateClient: indicates to evaluate the
client based on the client action strategy defined in
evaluateClientActionStrategy.
# It changes the
success transition of initialLoginForm action-state to evaluateClientRequest
cas.authn.spnego.spnegoMode=evaluateClient|direct
# The following property is deprecated
#cas.authn.spnego.hostNameClientActionStrategy=serviceNameSpnegoClientAction
# cas.authn.spnego.evaluateClientActionStrategy=hostnameSpnegoClientAction
where CAS checks to see if the request?s remote hostname matches a
predefine pattern
# cas.authn.spnego.evaluateClientActionStrategy=ldapSpnegoClientAction
where CAS checks an LDAP instance for the remote hostname,
#
to locate a pre-defined attribute whose mere existence would allow the
webflow to resume to SPNEGO
# cas.authn.spnego.evaluateClientActionStrategy=serviceNameSpnegoClientAction
where CAS checks if the service corresponds to a regularExpression
# defined in
serviceNamePatternString and the ip corresponds to ipsToCheckPattern
implemented
# in baseSpnegoClientAction
cas.authn.spnego.evaluateClientActionStrategy=serviceNameSpnegoClientAction
cas.authn.spnego.ipsToCheckPattern=((127\.0)|(122.110))(\.[0-9]{1,3}){2}
cas.authn.spnego.serviceNamePatternString=(app1\.domain\.ca)|(app2\.domain\.ca)
It works well for me. If you want it, I could send you the code.
Le jeudi 17 mai 2018 01:47:54 UTC-4, Nicholas Wylie a écrit :
>
> Hi CAS Community,
>
> I've successfully configured CAS 5.2 with LDAP/SPNEGO authentication
> against our Active Directory.
>
> What we have noticed though is that non-domain joined computers see a
> pop-up prompt for credentials when they visit the CAS login page. From my
> reading, I believe we can fix this by configuring the LDAP Client Selection
> Strategy for SPNEGO, but the documentation for which properties need to be
> configured seems to be a bit scarce.
>
> Can someone offer any guidance (or a link to some documentation) as to
> which properties I need to configure to use the LDAP Client Selection
> Strategy?
>
> Thanks,
> Nicholas
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/deeb374f-38e0-4bb0-8b18-35cc3ee46a7c%40apereo.org.
