Hi Christian, Which version of CAS do you use ?
It seems to be a version below CAS 5.0.x (org.jasig packages and XML spring configurations). SPNEGO client selection strategy was working on 4.x version, but I cannot make it work after having upgrade to CAS 5.1.x.... Regards, Charles <http://www.amoae.com/> 12, impasse du Malrigou, 31140 Montberon [email protected] | 06 24 73 04 98 | *amoae.com* <http://amoae.com/> Le jeu. 17 mai 2018 à 15:25, Christian Poirier <[email protected]> a écrit : > Hi Nicolas, > > In our organization, we need to let the user choose between the default > login and SPNEGO upon a list of criteria and sometimes we need to go > directly to the SPNEGO authentication upon other criteria. For this > feature, I extended the SPNEGO module. I show a button with the label > "LOGIN WITH MY WINDOWS ACCOUNT" when the IP address matches a regular > expression. When the service matches a regular expression and the IP > address also matches its regular expression, I force SPNEGO authentication > without giving the user the chance to authenticate otherwise. If none of > the previous conditions are present, then the user must authenticate > normally with his user ID and password. > If you look the following webflow, you will find this logic inside. > > <var name="credentials" class= > "org.jasig.cas.authentication.principal.UsernamePasswordCredentials" /> > > <on-start> > > <evaluate expression="initialFlowSetupAction" /> > > <set name="flowScope.displaySPNegoButton" value="false" /> > > </on-start> > > > <decision-state id="ticketGrantingTicketExistsCheck"> > > <if test="flowScope.ticketGrantingTicketId neq null" then= > "hasServiceCheck" else="gatewayRequestCheck" /> > > </decision-state> > > > <decision-state id="gatewayRequestCheck"> > > <if test="externalContext.requestParameterMap['gateway'] neq '' > && externalContext.requestParameterMap['gateway'] neq null > && flowScope.service neq null" then= > "gatewayServicesManagementCheck" else="startAuthenticateCheck" /> > > </decision-state> > > > <decision-state id="hasServiceCheck"> > > <if test="flowScope.service != null" then="renewRequestCheck" else= > "viewGenericLoginSuccess" /> > > </decision-state> > > > <decision-state id="renewRequestCheck"> > > <if test="externalContext.requestParameterMap['renew'] neq '' && > externalContext.requestParameterMap['renew'] neq null" then= > "startAuthenticateCheck" else="generateServiceTicket" /> > > </decision-state> > > > <!-- > > The "warn" action makes the determination of whether to redirect > directly to the requested > > service or display the "confirmation" page to go back to the server. > > --> > > <decision-state id="warn"> > > <if test="flowScope.warnCookieValue" then="showWarningView" else= > "redirect" /> > > </decision-state> > > > <!-- > > <action-state id="startAuthenticate"> > > <action bean="x509Check" /> > > <transition on="success" to="sendTicketGrantingTicket" /> > > <transition on="warn" to="warn" /> > > <transition on="error" to="generateLoginTicket" /> > > </action-state> > > --> > > <decision-state id="startAuthenticateCheck"> > > <if test="externalContext.requestParameterMap['spnego'] neq '' > && externalContext.requestParameterMap['spnego'] neq null > && externalContext.requestParameterMap['spnego'] eq 'off'" then= > "generateLoginTicket" else="spnegoForceCheckAction" /> > > </decision-state> > > > <decision-state id="spnegoForceCheckAction"> > > <if test="externalContext.requestParameterMap['forcespnego'] neq '' > && externalContext.requestParameterMap['forcespnego'] neq null > && externalContext.requestParameterMap['forcespnego'] eq 'true'" > then="spnegoIPCheckAction2" else="spnegoAppCheckAction" /> > > </decision-state> > > > <action-state id="spnegoAppCheckAction"> > > <evaluate expression="spNegoAppCheck" /> > > <transition on="yes" to="spnegoIPCheckAction2" /> > > <transition on="no" to="spnegoIPCheckAction" /> > > </action-state> > > > <action-state id="spnegoIPCheckAction"> > > <evaluate expression="spNegoIPCheck" /> > > <transition on="yes" to="generateLoginTicket" > > > <set name="flowScope.displaySPNegoButton" value="true" /> > > > </transition> > > <transition on="no" to="generateLoginTicket" /> > > </action-state> > > > <action-state id="spnegoIPCheckAction2"> > > <evaluate expression="spNegoIPCheck" /> > > <transition on="yes" to="startAuthenticate" /> > > <transition on="no" to="generateLoginTicket" /> > > </action-state> > > > <action-state id="startAuthenticate"> > > <evaluate expression="negociateSpnego" /> > > <transition on="success" to="spnego" /> > > </action-state> > > > <action-state id="spnego"> > > <evaluate expression="spnego" /> > > <transition on="success" to="sendTicketGrantingTicket" /> > > <transition on="error" to="generateLoginTicket" /> > > </action-state> > > > <action-state id="generateLoginTicket"> > > <evaluate expression= > "generateLoginTicketAction.generate(flowRequestContext)" /> > > <transition on="success" to="viewLoginForm" /> > > </action-state> > > > Here are my new spnego.properties > # cas.authn.spnego.spnegoMode=direct: indicates to go directly to the > SPNEGO by changing the succes transition of initialLoginForm action-state > to startSpnegoAuthenticate > # cas.authn.spnego.spnegoMode=evaluateClient: indicates to evaluate the > client based on the client action strategy defined in > evaluateClientActionStrategy. > > # It changes the > success transition of initialLoginForm action-state to evaluateClientRequest > cas.authn.spnego.spnegoMode=evaluateClient|direct > # The following property is deprecated > > #cas.authn.spnego.hostNameClientActionStrategy=serviceNameSpnegoClientAction > # cas.authn.spnego.evaluateClientActionStrategy=hostnameSpnegoClientAction > where CAS checks to see if the request?s remote hostname matches a > predefine pattern > # cas.authn.spnego.evaluateClientActionStrategy=ldapSpnegoClientAction > where CAS checks an LDAP instance for the remote hostname, > # > to locate a pre-defined attribute whose mere existence would allow the > webflow to resume to SPNEGO > # cas.authn.spnego.evaluateClientActionStrategy=serviceNameSpnegoClientAction > where CAS checks if the service corresponds to a regularExpression > # defined in > serviceNamePatternString and the ip corresponds to ipsToCheckPattern > implemented > # in baseSpnegoClientAction > cas.authn.spnego.evaluateClientActionStrategy= > serviceNameSpnegoClientAction > cas.authn.spnego.ipsToCheckPattern=((127\.0)|(122.110))(\.[0-9]{1,3}){2} > > cas.authn.spnego.serviceNamePatternString=(app1\.domain\.ca)|(app2\.domain\.ca) > > > It works well for me. If you want it, I could send you the code. > > Le jeudi 17 mai 2018 01:47:54 UTC-4, Nicholas Wylie a écrit : >> >> Hi CAS Community, >> >> I've successfully configured CAS 5.2 with LDAP/SPNEGO authentication >> against our Active Directory. >> >> What we have noticed though is that non-domain joined computers see a >> pop-up prompt for credentials when they visit the CAS login page. From my >> reading, I believe we can fix this by configuring the LDAP Client Selection >> Strategy for SPNEGO, but the documentation for which properties need to be >> configured seems to be a bit scarce. >> >> Can someone offer any guidance (or a link to some documentation) as to >> which properties I need to configure to use the LDAP Client Selection >> Strategy? >> >> Thanks, >> Nicholas >> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to a topic in the > Google Groups "CAS Community" group. > To unsubscribe from this topic, visit > https://groups.google.com/a/apereo.org/d/topic/cas-user/_jUtK7VnhFs/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/deeb374f-38e0-4bb0-8b18-35cc3ee46a7c%40apereo.org > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/deeb374f-38e0-4bb0-8b18-35cc3ee46a7c%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANjq9ChHNPOLZSeU%3DmHs1MP3cyB1F69imxA7LzrDrc56oSWzTQ%40mail.gmail.com.
