Hi Charles I am using the 5.3.0-RC3. I illustrated the webflow to see the logic. The webflow logic is built in the code. I will check if the implementation based on a RegisteredServiceAccessStrategy is possible.
Christian Poirier Mobile: 418-473-2824 2018-05-18 1:28 GMT-04:00 Charles Le Gallic <[email protected]>: > Hi Christian, > > Which version of CAS do you use ? > > It seems to be a version below CAS 5.0.x (org.jasig packages and XML > spring configurations). SPNEGO client selection strategy was working on 4.x > version, but I cannot make it work after having upgrade to CAS 5.1.x.... > > Regards, > > Charles > > <http://www.amoae.com/> > 12, impasse du Malrigou, 31140 Montberon > <https://maps.google.com/?q=12,+impasse+du+Malrigou,%C2%A031140+Montberon&entry=gmail&source=g> > [email protected] | 06 24 73 04 98 | *amoae.com* <http://amoae.com/> > > > Le jeu. 17 mai 2018 à 15:25, Christian Poirier <[email protected]> a > écrit : > >> Hi Nicolas, >> >> In our organization, we need to let the user choose between the default >> login and SPNEGO upon a list of criteria and sometimes we need to go >> directly to the SPNEGO authentication upon other criteria. For this >> feature, I extended the SPNEGO module. I show a button with the label >> "LOGIN WITH MY WINDOWS ACCOUNT" when the IP address matches a regular >> expression. When the service matches a regular expression and the IP >> address also matches its regular expression, I force SPNEGO authentication >> without giving the user the chance to authenticate otherwise. If none of >> the previous conditions are present, then the user must authenticate >> normally with his user ID and password. >> If you look the following webflow, you will find this logic inside. >> >> <var name="credentials" class="org.jasig.cas.authentication.principal. >> UsernamePasswordCredentials" /> >> >> <on-start> >> >> <evaluate expression="initialFlowSetupAction" /> >> >> <set name="flowScope.displaySPNegoButton" value="false" /> >> >> </on-start> >> >> >> <decision-state id="ticketGrantingTicketExistsCheck"> >> >> <if test="flowScope.ticketGrantingTicketId neq null" then= >> "hasServiceCheck" else="gatewayRequestCheck" /> >> >> </decision-state> >> >> >> <decision-state id="gatewayRequestCheck"> >> >> <if test="externalContext.requestParameterMap['gateway'] neq '' >> && externalContext.requestParameterMap['gateway'] neq null >> && flowScope.service neq null" then=" >> gatewayServicesManagementCheck" else="startAuthenticateCheck" /> >> >> </decision-state> >> >> >> <decision-state id="hasServiceCheck"> >> >> <if test="flowScope.service != null" then="renewRequestCheck" else= >> "viewGenericLoginSuccess" /> >> >> </decision-state> >> >> >> <decision-state id="renewRequestCheck"> >> >> <if test="externalContext.requestParameterMap['renew'] neq '' && >> externalContext.requestParameterMap['renew'] neq null" then= >> "startAuthenticateCheck" else="generateServiceTicket" /> >> >> </decision-state> >> >> >> <!-- >> >> The "warn" action makes the determination of whether to redirect >> directly to the requested >> >> service or display the "confirmation" page to go back to the server. >> >> --> >> >> <decision-state id="warn"> >> >> <if test="flowScope.warnCookieValue" then="showWarningView" else= >> "redirect" /> >> >> </decision-state> >> >> >> <!-- >> >> <action-state id="startAuthenticate"> >> >> <action bean="x509Check" /> >> >> <transition on="success" to="sendTicketGrantingTicket" /> >> >> <transition on="warn" to="warn" /> >> >> <transition on="error" to="generateLoginTicket" /> >> >> </action-state> >> >> --> >> >> <decision-state id="startAuthenticateCheck"> >> >> <if test="externalContext.requestParameterMap['spnego'] neq '' >> && externalContext.requestParameterMap['spnego'] neq null >> && externalContext.requestParameterMap['spnego'] eq 'off'" then= >> "generateLoginTicket" else="spnegoForceCheckAction" /> >> >> </decision-state> >> >> >> <decision-state id="spnegoForceCheckAction"> >> >> <if test="externalContext.requestParameterMap['forcespnego'] neq '' >> && externalContext.requestParameterMap['forcespnego'] neq null >> && externalContext.requestParameterMap['forcespnego'] eq 'true'" >> then="spnegoIPCheckAction2" else="spnegoAppCheckAction" /> >> >> </decision-state> >> >> >> <action-state id="spnegoAppCheckAction"> >> >> <evaluate expression="spNegoAppCheck" /> >> >> <transition on="yes" to="spnegoIPCheckAction2" /> >> >> <transition on="no" to="spnegoIPCheckAction" /> >> >> </action-state> >> >> >> <action-state id="spnegoIPCheckAction"> >> >> <evaluate expression="spNegoIPCheck" /> >> >> <transition on="yes" to="generateLoginTicket" > >> >> <set name="flowScope.displaySPNegoButton" value="true" /> >> >> >> </transition> >> >> <transition on="no" to="generateLoginTicket" /> >> >> </action-state> >> >> >> <action-state id="spnegoIPCheckAction2"> >> >> <evaluate expression="spNegoIPCheck" /> >> >> <transition on="yes" to="startAuthenticate" /> >> >> <transition on="no" to="generateLoginTicket" /> >> >> </action-state> >> >> >> <action-state id="startAuthenticate"> >> >> <evaluate expression="negociateSpnego" /> >> >> <transition on="success" to="spnego" /> >> >> </action-state> >> >> >> <action-state id="spnego"> >> >> <evaluate expression="spnego" /> >> >> <transition on="success" to="sendTicketGrantingTicket" /> >> >> <transition on="error" to="generateLoginTicket" /> >> >> </action-state> >> >> >> <action-state id="generateLoginTicket"> >> >> <evaluate expression="generateLoginTicketAction. >> generate(flowRequestContext)" /> >> >> <transition on="success" to="viewLoginForm" /> >> >> </action-state> >> >> >> Here are my new spnego.properties >> # cas.authn.spnego.spnegoMode=direct: indicates to go directly to the >> SPNEGO by changing the succes transition of initialLoginForm action-state >> to startSpnegoAuthenticate >> # cas.authn.spnego.spnegoMode=evaluateClient: indicates to evaluate the >> client based on the client action strategy defined in >> evaluateClientActionStrategy. >> # It changes the >> success transition of initialLoginForm action-state to evaluateClientRequest >> cas.authn.spnego.spnegoMode=evaluateClient|direct >> # The following property is deprecated >> #cas.authn.spnego.hostNameClientActionStrategy= >> serviceNameSpnegoClientAction >> # cas.authn.spnego.evaluateClientActionStrategy=hostnameSpnegoClientAction >> where CAS checks to see if the request?s remote hostname matches a >> predefine pattern >> # cas.authn.spnego.evaluateClientActionStrategy=ldapSpnegoClientAction >> where CAS checks an LDAP instance for the remote hostname, >> # >> to locate a pre-defined attribute whose mere existence would allow >> the webflow to resume to SPNEGO >> # cas.authn.spnego.evaluateClientActionStrategy=serviceNameSpnegoClientAction >> where CAS checks if the service corresponds to a regularExpression >> # defined in >> serviceNamePatternString and the ip corresponds to ipsToCheckPattern >> implemented >> # in baseSpnegoClientAction >> cas.authn.spnego.evaluateClientActionStrategy=serviceNameSpn >> egoClientAction >> cas.authn.spnego.ipsToCheckPattern=((127\.0)|(122.110))(\.[0-9]{1,3}){2} >> cas.authn.spnego.serviceNamePatternString=(app1\.domain\.ca)|(app2\. >> domain\.ca) >> >> >> It works well for me. If you want it, I could send you the code. >> >> Le jeudi 17 mai 2018 01:47:54 UTC-4, Nicholas Wylie a écrit : >>> >>> Hi CAS Community, >>> >>> I've successfully configured CAS 5.2 with LDAP/SPNEGO authentication >>> against our Active Directory. >>> >>> What we have noticed though is that non-domain joined computers see a >>> pop-up prompt for credentials when they visit the CAS login page. From my >>> reading, I believe we can fix this by configuring the LDAP Client Selection >>> Strategy for SPNEGO, but the documentation for which properties need to be >>> configured seems to be a bit scarce. >>> >>> Can someone offer any guidance (or a link to some documentation) as to >>> which properties I need to configure to use the LDAP Client Selection >>> Strategy? >>> >>> Thanks, >>> Nicholas >>> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "CAS Community" group. >> To unsubscribe from this topic, visit https://groups.google.com/a/ >> apereo.org/d/topic/cas-user/_jUtK7VnhFs/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> To view this discussion on the web visit https://groups.google.com/a/ >> apereo.org/d/msgid/cas-user/deeb374f-38e0-4bb0-8b18- >> 35cc3ee46a7c%40apereo.org >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/deeb374f-38e0-4bb0-8b18-35cc3ee46a7c%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/CANjq9ChHNPOLZSeU% > 3DmHs1MP3cyB1F69imxA7LzrDrc56oSWzTQ%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CANjq9ChHNPOLZSeU%3DmHs1MP3cyB1F69imxA7LzrDrc56oSWzTQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bg7XA%3DdcrpWp1uqxttB9kA4sqb2w%2BHqysEcTsBeTg2Upmr6pg%40mail.gmail.com.
