WORKERS AHEAD!
You are viewing the development documentation for the Apereo CAS server. The functionality presented here is not officially released yet. This is a work in progress and will be continually updated as development moves forward. You are most encouraged to test the changes presented.
Passwordless Authentication - User Selection Menu
A passwordless account can be decorated to allow the user to select from a menu of available authentication options. This feature is useful in scenarios where the account may be eligible for multiple forms of authentication and the user is allowed to choose the most appropriate one. The passwordless account store is ultimately responsible for determining the list of available authentication options and whether the user does quality for the authentication selection flow.
As an example, the following account managed via the
JSON passwordless account storage
instructs CAS using the allowSelectionMenu flag to
allow the flow to present available forms of authentication to the user:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
{
"@class" : "java.util.LinkedHashMap",
"casuser" : {
"@class" : "org.apereo.cas.api.PasswordlessUserAccount",
"username": "casuser",
"name" : "CAS",
"email": "casuser@example.org"
"allowSelectionMenu": true,
"requestPassword": true
"delegatedAuthenticationEligible": "TRUE",
"allowedDelegatedClients" : [ "java.util.ArrayList", [ "ExternalIdP" ] ]
"multifactorAuthenticationEligible": "TRUE",
"attributes" : {
"@class" : "java.util.TreeMap",
"memberOf" : [ "java.util.ArrayList", [ "mfa" ] ],
"email": [ "java.util.ArrayList", [ "casuser@example.org" ] ]
}
}
}
The above account is allows to choose between the following options:
- Authentication via password.
- Delegated authentication via the
ExternalIdPidentity provider. - Multifactor authentication.
- Passwordless token-based authentication.