WORKERS AHEAD!
You are viewing the development documentation for the Apereo CAS server. The functionality presented here is not officially released yet. This is a work in progress and will be continually updated as development moves forward. You are most encouraged to test the changes presented.
SAML2 Delegated Authentication - Identity Provider Discovery Service
NoteUsing identity provider discovery requires delegated authentication to be available. This feature cannot be used on its own as a standalone discovery service.
1
2
3
4
5
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-saml-idp-discovery</artifactId>
<version>${cas.version}</version>
</dependency>
1
implementation "org.apereo.cas:cas-server-support-saml-idp-discovery:${project.'cas.version'}"
1
2
3
4
5
6
7
8
9
dependencyManagement {
imports {
mavenBom "org.apereo.cas:cas-server-support-bom:${project.'cas.version'}"
}
}
dependencies {
implementation "org.apereo.cas:cas-server-support-saml-idp-discovery"
}
1
2
3
4
5
6
7
8
9
10
dependencies {
/*
The following platform references should be included automatically and are listed here for reference only.
implementation enforcedPlatform("org.apereo.cas:cas-server-support-bom:${project.'cas.version'}")
implementation platform(org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES)
*/
implementation "org.apereo.cas:cas-server-support-saml-idp-discovery"
}
Identity provider discovery allows CAS to embed and present a discovery service as part of delegated authentication. Configured SAML2 identity providers in the CAS configuration used for delegated authentication are presented as options for discovery.
CAS is also able to directly consume multiple JSON feeds that contain discovery metadata about available identity providers. The discovery JSON feed may be fetched from a URL (i.e. exposed by a Shibboleth Service Provider) or it may directly be consumed as a JSON file with the following structure:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[{
"entityID": "https://idp.example.net/idp/saml",
"DisplayNames": [{
"value": "Example.net",
"lang": "en"
}],
"Descriptions": [{
"value": "An identity provider for the people, by the people.",
"lang": "en"
}],
"Logos": [{
"value": "https://example.net/images/logo.png",
"height": "90",
"width": "62"
}]
}]
The following endpoints are available:
| Endpoint | Description |
|---|---|
/idp/discovery |
Identity provider discovery landing page. |
/idp/discovery/feed |
Identity provider discovery JSON feed. |
/idp/discovery/redirect |
Return endpoint to let CAS invoke the identity provider after selection. |
Applications may directly invoke the discovery service via [cas-server-prefix]/idp/discovery. The discovery service may also
be invoked using the discovery protocol via [cas-server-prefix]/idp/discovery?entityID=[service-provider-entity-id]&return=[cas-server-prefix]/idp/discovery/redirect.
Additional parameters may be included as part of the return url and they all must be encoded.