Colin, I was thinking the user would enter their home organization rather than the auth provider.
CAS should step through different authentication mechanisms in the order they are listed [in config] until it finds a match or exhausts all mechanisms. We use multiple LDAP entries that differ only in the tree searched. I have not tried other mechanisms like Radius, but it may still apply. If the above does not work, yes you could insert some Java LDAP calls. Ray On Mon, 2019-12-16 at 13:22 -0500, Colin Ryan wrote: Ray, Thanks for the response. Issue I see with this is I don't want to have to rely on user input to start this all off. I need to avoid is having a user to find a way to successfully validate via say AuthProvider A (i.e. LDAP), when I in fact needed them to Authenticate via Provider B (i.e. Radius). Unless I missing something, depending on the user to provide the input required for such a decision is not desirable. Unless your simply pointing me into a direction where I could insert some Java LDAP calls as I receive the incoming UserID, and then dynamically adjust the Authentication Provider to user for the actual Auth. Cheers Sorry to be so unclear. It's all so obvious with different URL/Services, but I'm basically trying to manage a centralized administrative tool overlaying what is essentially a multi-tentant'ed User Database, and CAS's contexts are so service focused. Colin On 2019-12-16 12:40 p.m., Ray Bon wrote: Colin, In federated access, the user is often presented with a discovery lookup where they select or type their chosen identity provider. It is possible to modify the CAS web flow, https://apereo.github.io/cas/6.1.x/webflow/Webflow-Customization.html, and insert such a page. See, https://samltest.id/start-idp-test/, for an example (EntityID == organization). For subsequent events like MFA, you can trigger those with user attribute(s) set in the service definition. Ray On Mon, 2019-12-16 at 11:47 -0500, Colin Ryan wrote: Folks, I have an central application that will be used by multiple groups of users. These users are organized organizationally in LDAP as the primary system of record. However each organization will have a potentially different choice of which of my available authentication providers need to be presented/enforced for users in said "organization". So I'm looking for away to trigger, prior to actual authentication, a dynamic configuration decision as to what authentication provider a particular user needs to be presented with, but all accessing the same service URL I'm expecting I'll need to intercept the authentication request at some point, do an LDAP lookup on the user ID and grab my determining attribute and then based upon the value of said attribute essentially dynamic assign this user with an auth. service. This authentication could be LDAP, Radius or even subsequent MFA. Kind of what the MFA triggers do but dynamically updating even what the original first authentication factor would be. I haven't seen any native configurations for CAS that would let me do this, so just wondering where I could hook into the CAS sequences/flows to do such a thing. or) As and aside or potential alternative I'd imagined a way where I could provide a particular user set with a unique service URL, this could be used to provide resolution to what authentication source that "organization" should use, but then upon authenticating redirect them to the central application with SSO. I would need however to prevent users from accidentally (or nefariously ) going directly to the central application and potentially authenticating with an in-appropriate authentication source. Is there a way to maybe configure a Java Spring App that it can only accept proxy'ed authentications or something along those lines. Hopefully I've made sense in explaining my requirements here. Sincerely. Colin -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected]<mailto:[email protected]> I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/fb49de81df567a592a9d2857b0fdbcf255533fe5.camel%40uvic.ca<https://groups.google.com/a/apereo.org/d/msgid/cas-user/fb49de81df567a592a9d2857b0fdbcf255533fe5.camel%40uvic.ca?utm_medium=email&utm_source=footer>. -- Ray Bon Programmer Analyst Development Services, University Systems 2507218831 | CLE 019 | [email protected]<mailto:[email protected]> I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations. -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/70eb7d90023bf2e4db04f9bc38b126d26ed01385.camel%40uvic.ca.
