HI there, CAS 6.6.x, delegated authN to IdP, such as CAS delegating to external IdP, when user mapping is one-to-may.
For historical reasons, one person may have multiple usernames across apps protected by the same CAS instance, these usernames map to the same username on external IdP, thus one-to-many. For instance, App A and B are protected by CAS, same person but two different usernames: jsmith on A, smithj on B. CAS provides authentication today. Tomorrow, CAS delegates authN to external IdP, this person already has username johnsmith on that external IdP. During login, he enters johnsmith and credential, after authentication and response back to CAS as johnsmith, CAS needs to figure out whether username is jsmith or smithj. The ask is to present a UI and let the person select, as he would know best. It feels like a bad idea (as we are letting user say who he is, but, this is a migration and user is already authenticated, and we fully trust that external IdP, it is the best user-experience for backward compatibility), I cannot explain why this maybe an insecure practice. any thoughts? thanks! Yan Yan -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0d9a90bc-720b-442a-b481-53611c4ce52en%40apereo.org.
