Delegated Authentication - Auto Redirection/Selection
By default, the list of available identity providers are displayed in a selection menu and the user is allowed to choose the provider. In certain scenarios, the browser may be instructed to auto-redirect to a pre-selected identity provider.
Pre-selected Identity Provider
An identity provider can be instructed via CAS configuration to always perform an auto-redirect, regardless of the application type and/or authentication requests. The selected identity provider is considered by CAS to be the primary strategy for handling authentication requests.
Identity Provider Exclusivity
Authentication requests from the following application will be auto-redirected to the identity provider that is identified
as Twitter
in the CAS configuration, since the delegated authentication policy only allows the single exclusive use
of this provider, removing selection menu and the ability to choose other alternative authentication methods.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
{
"@class" : "org.apereo.cas.services.CasRegisteredService",
"serviceId" : "sample",
"name" : "sample",
"id" : 100,
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"delegatedAuthenticationPolicy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
"allowedProviders" : [ "java.util.ArrayList", [ "Twitter" ] ],
"exclusive": true
}
}
}
Identity Provider Cookie Selection
A chosen identity provider from the selection menu can be optionally tracked and stored using a dedicated cookie, which will then be used on subsequent attempts to auto-redirect to the identity provider, skipping the selection menu.
The following settings and properties are available from the CAS configuration catalog:
cas.authn.pac4j.cookie.auto-configure-cookie-path=true
Decide if cookie paths should be automatically configured based on the application context path, when the cookie path is not configured.
|
cas.authn.pac4j.cookie.domain=
Cookie domain. Specifies the domain within which this cookie should be presented. The form of the domain name is specified by RFC 2965. A domain name begins with a dot (.foo.com) and means that the cookie is visible to servers in a specified Domain Name System (DNS) zone (for example, www.foo.com, but not a.b.foo.com). By default, cookies are only returned to the server that sent them.
|
cas.authn.pac4j.cookie.enabled=false
Determine whether cookie settings should be enabled to track delegated authentication choices and identity providers.
|
cas.authn.pac4j.cookie.http-only=true
true if this cookie contains the HttpOnly attribute. This means that the cookie should not be accessible to scripting engines, like javascript.
|
cas.authn.pac4j.cookie.max-age=-1
The maximum age of the cookie, specified in seconds. By default,
|
cas.authn.pac4j.cookie.name=
Cookie name. Constructs a cookie with a specified name and value. The name must conform to RFC 2965. That means it can contain only ASCII alphanumeric characters and cannot contain commas, semicolons, or white space or begin with a
|
cas.authn.pac4j.cookie.path=
Cookie path. Specifies a path for the cookie to which the client should return the cookie. The cookie is visible to all the pages in the directory you specify, and all the pages in that directory's subdirectories. A cookie's path must include the servlet that set the cookie, for example, /catalog, which makes the cookie visible to all directories on the server under /catalog. Consult RFC 2965 (available on the Internet) for more information on setting path names for cookies.
|
cas.authn.pac4j.cookie.same-site-policy=
If a cookie is only intended to be accessed in a first party context, the developer has the option to apply one of settings SameSite=None , to designate cookies for cross-site access. When the SameSite=None attribute is present, an additional Secure attribute is used so cross-site cookies can only be accessed over HTTPS connections. Accepted values are:
|
cas.authn.pac4j.cookie.secure=true
True if sending this cookie should be restricted to a secure protocol, or false if the it can be sent using any protocol.
|
Configuration Metadata
The collection of configuration properties listed in this section are automatically generated from the CAS source and components that contain the actual field definitions, types, descriptions, modules, etc. This metadata may not always be 100% accurate, or could be lacking details and sufficient explanations.
Be Selective
This section is meant as a guide only. Do NOT copy/paste the entire collection of settings into your CAS configuration; rather pick only the properties that you need. Do NOT enable settings unless you are certain of their purpose and do NOT copy settings into your configuration only to keep them as reference. All these ideas lead to upgrade headaches, maintenance nightmares and premature aging.
YAGNI
Note that for nearly ALL use cases, declaring and configuring properties listed here is sufficient. You should NOT have to explicitly massage a CAS XML/Java/etc configuration file to design an authentication handler, create attribute release policies, etc. CAS at runtime will auto-configure all required changes for you. If you are unsure about the meaning of a given CAS setting, do NOT turn it on without hesitation. Review the codebase or better yet, ask questions to clarify the intended behavior.
Naming Convention
Property names can be specified in very relaxed terms. For instance cas.someProperty
, cas.some-property
, cas.some_property
are all valid names. While all
forms are accepted by CAS, there are certain components (in CAS and other frameworks used) whose activation at runtime is conditional on a property value, where
this property is required to have been specified in CAS configuration using kebab case. This is both true for properties that are owned by CAS as well as those
that might be presented to the system via an external library or framework such as Spring Boot, etc.
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
Settings and properties that are controlled by the CAS platform directly always begin with the prefix cas
. All other settings are controlled and provided
to CAS via other underlying frameworks and may have their own schemas and syntax. BE CAREFUL with
the distinction. Unrecognized properties are rejected by CAS and/or frameworks upon which CAS depends. This means if you somehow misspell a property definition
or fail to adhere to the dot-notation syntax and such, your setting is entirely refused by CAS and likely the feature it controls will never be activated in the
way you intend.
Validation
Configuration properties are automatically validated on CAS startup to report issues with configuration binding, specially if defined CAS settings cannot be recognized or validated by the configuration schema. Additional validation processes are also handled via Configuration Metadata and property migrations applied automatically on startup by Spring Boot and family.
Indexed Settings
CAS settings able to accept multiple values are typically documented with an index, such as cas.some.setting[0]=value
. The index [0]
is meant to be
incremented by the adopter to allow for distinct multiple configuration blocks.
Identity Provider Groovy Selection
The auto-redirection strategy of a given identity provider may also be decided dynamically via a Groovy resource whose path is defined via CAS settings.
The following settings and properties are available from the CAS configuration catalog:
cas.authn.pac4j.core.groovy-redirection-strategy.location=
The location of the resource. Resources can be URLs, or files found either on the classpath or outside somewhere in the file system. In the event the configured resource is a Groovy script, specially if the script set to reload on changes, you may need to adjust the total number ofinotify instances. On Linux, you may need to add the following line to /etc/sysctl.conf : fs.inotify.max_user_instances = 256 . You can check the current value via cat /proc/sys/fs/inotify/max_user_instances . In situations and scenarios where CAS is able to automatically watch the underlying resource for changes and detect updates and modifications dynamically, you may be able to specify the following setting as either an environment variable or system property with a value of false to disable the resource watcher: org.apereo.cas.util.io.PathWatcherService .
|
Please review this guide to configure your build.
Configuration Metadata
The collection of configuration properties listed in this section are automatically generated from the CAS source and components that contain the actual field definitions, types, descriptions, modules, etc. This metadata may not always be 100% accurate, or could be lacking details and sufficient explanations.
Be Selective
This section is meant as a guide only. Do NOT copy/paste the entire collection of settings into your CAS configuration; rather pick only the properties that you need. Do NOT enable settings unless you are certain of their purpose and do NOT copy settings into your configuration only to keep them as reference. All these ideas lead to upgrade headaches, maintenance nightmares and premature aging.
YAGNI
Note that for nearly ALL use cases, declaring and configuring properties listed here is sufficient. You should NOT have to explicitly massage a CAS XML/Java/etc configuration file to design an authentication handler, create attribute release policies, etc. CAS at runtime will auto-configure all required changes for you. If you are unsure about the meaning of a given CAS setting, do NOT turn it on without hesitation. Review the codebase or better yet, ask questions to clarify the intended behavior.
Naming Convention
Property names can be specified in very relaxed terms. For instance cas.someProperty
, cas.some-property
, cas.some_property
are all valid names. While all
forms are accepted by CAS, there are certain components (in CAS and other frameworks used) whose activation at runtime is conditional on a property value, where
this property is required to have been specified in CAS configuration using kebab case. This is both true for properties that are owned by CAS as well as those
that might be presented to the system via an external library or framework such as Spring Boot, etc.
When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value
.
The only possible exception to this rule is when naming actuator endpoints; The name of the
actuator endpoints (i.e. ssoSessions
) MUST remain in camelCase mode.
Settings and properties that are controlled by the CAS platform directly always begin with the prefix cas
. All other settings are controlled and provided
to CAS via other underlying frameworks and may have their own schemas and syntax. BE CAREFUL with
the distinction. Unrecognized properties are rejected by CAS and/or frameworks upon which CAS depends. This means if you somehow misspell a property definition
or fail to adhere to the dot-notation syntax and such, your setting is entirely refused by CAS and likely the feature it controls will never be activated in the
way you intend.
Validation
Configuration properties are automatically validated on CAS startup to report issues with configuration binding, specially if defined CAS settings cannot be recognized or validated by the configuration schema. Additional validation processes are also handled via Configuration Metadata and property migrations applied automatically on startup by Spring Boot and family.
Indexed Settings
CAS settings able to accept multiple values are typically documented with an index, such as cas.some.setting[0]=value
. The index [0]
is meant to be
incremented by the adopter to allow for distinct multiple configuration blocks.
The Groovy script would have the following outline:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import org.apereo.cas.web.*
import org.pac4j.core.context.*
import org.apereo.cas.pac4j.*
import org.apereo.cas.web.support.*
import java.util.stream.*
import java.util.*
import org.apereo.cas.configuration.model.support.delegation.*
def run(Object[] args) {
def (requestContext,service,registeredService,providers,applicationContext,logger) = args
providers.forEach(provider -> {
logger.info("Checking ${provider.name}...")
if (provider.name.equals("Twitter")) {
provider.autoRedirectType = DelegationAutoRedirectTypes.CLIENT
return provider
}
})
return null
}
To prepare CAS to support and integrate with Apache Groovy, please review this guide.
The following parameters are passed to the script:
Parameter | Description |
---|---|
requestContext |
Reference to the Spring Webflow request context, as RequestContext . |
service |
Reference to the application authentication request as Service , if any. |
registeredService |
Reference to registered service definition, if any. |
providers |
Reference to the set of identity provider configuration identified as DelegatedClientIdentityProviderConfiguration . |
applicationContext |
Reference to the application context as ApplicationContext . |
logger |
The object responsible for issuing log messages such as logger.info(...) . |
Identity Provider Selection Per Service
The auto-redirection strategy of a given identity provider may also be decided dynamically via a Groovy resource whose path specified directly in the service definition as part of the authentication policy’s provider selection strategy:
1
2
3
4
5
6
7
8
9
10
11
12
13
{
"@class" : "org.apereo.cas.services.CasRegisteredService",
"serviceId" : "sample",
"name" : "sample",
"id" : 100,
"accessStrategy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAccessStrategy",
"delegatedAuthenticationPolicy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceDelegatedAuthenticationPolicy",
"selectionStrategy": "file:/path/to/script.groovy"
}
}
}
If you wish, you may also use a Groovy Inline syntax using the groovy {...}
construct.
To prepare CAS to support and integrate with Apache Groovy, please review this guide. The collection of parameters and the script body are identical to the Identity Provider Groovy Selection option above.
Identity Provider Custom Selection
If you wish to create your own redirection strategy, you will need to design a component and register it with CAS as such:
1
2
3
4
@Bean
public DelegatedClientIdentityProviderRedirectionStrategy delegatedClientIdentityProviderRedirectionStrategy() {
return new CustomDelegatedClientIdentityProviderRedirectionStrategy();
}
See this guide to learn more about how to register configurations into the CAS runtime.