Entity Id Request Parameter - Multifactor Authentication Triggers

In situations where authentication is delegated to CAS, most commonly via a Shibboleth Identity Provider, the entity id may be passed as a request parameter to CAS to be treated as a CAS registered service. This allows one to activate multifactor authentication policies based on the entity id that is registered This allows one to activate multifactor authentication policies based on the entity id that is registered in the CAS service registry. As a side benefit, the entity id can take advantage of all other CAS features such as access strategies and authorization rules because it’s just another service definition known to CAS.

To learn more about integration options and to understand how to delegate authentication to CAS from a Shibboleth identity provider, please see this guide.

Support is enabled by including the following dependency in the WAR overlay:

1
2
3
4
5
<dependency>
    <groupId>org.apereo.cas</groupId>
    <artifactId>cas-server-support-shibboleth</artifactId>
    <version>${cas.version}</version>
</dependency>
1
implementation "org.apereo.cas:cas-server-support-shibboleth:${project.'cas.version'}"
1
2
3
4
5
6
7
8
9
dependencyManagement {
    imports {
        mavenBom "org.apereo.cas:cas-server-support-bom:${project.'cas.version'}"
    }
}

dependencies {
    implementation "org.apereo.cas:cas-server-support-shibboleth"
}
1
2
3
4
5
6
7
8
9
10
dependencies {
    /*
        The following platform references should be included automatically and are listed here for reference only.

        implementation enforcedPlatform("org.apereo.cas:cas-server-support-bom:${project.'cas.version'}")
        implementation platform(org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES)
        
    */
    implementation "org.apereo.cas:cas-server-support-shibboleth"
}

The entityId parameter may be passed as such:

1
https://.../cas/login?service=http://idp.example.org&entityId=the-entity-id-passed