Multitenancy

CAS supports the notion of multitenancy, where a single CAS server can be used to isolate parts of its configuration and policies per each tenant that is assigned to a unique url to interact with the CAS server. Each tenant registered with CAS may have its own set of capabilities such as authentication strategy and policies. Support for multitenancy is baked into CAS as a first class citizen and you will need to configure CAS to enable the feature, register your tenants and define their capabilities.

The following settings and properties are available from the CAS configuration catalog:

The configuration settings listed below are tagged as Required in the CAS configuration metadata. This flag indicates that the presence of the setting may be needed to activate or affect the behavior of the CAS feature and generally should be reviewed, possibly owned and adjusted. If the setting is assigned a default value, you do not need to strictly put the setting in your copy of the configuration, but should review it nonetheless to make sure it matches your deployment expectations.

The configuration settings listed below are tagged as Optional in the CAS configuration metadata. This flag indicates that the presence of the setting is not immediately necessary in the end-user CAS configuration, because a default value is assigned or the activation of the feature is not conditionally controlled by the setting value. In other words, you should only include this field in your configuration if you need to modify the default value or if you need to turn on the feature controlled by the setting.

  • cas.multitenancy.core.enabled=false

    • Enable multitenancy support.

    org.apereo.cas.configuration.model.support.multitenancy.MultitenancyCoreProperties.

    How can I configure this property?

    Configuration Metadata

    The collection of configuration properties listed in this section are automatically generated from the CAS source and components that contain the actual field definitions, types, descriptions, modules, etc. This metadata may not always be 100% accurate, or could be lacking details and sufficient explanations.

    Be Selective

    This section is meant as a guide only. Do NOT copy/paste the entire collection of settings into your CAS configuration; rather pick only the properties that you need. Do NOT enable settings unless you are certain of their purpose and do NOT copy settings into your configuration only to keep them as reference. All these ideas lead to upgrade headaches, maintenance nightmares and premature aging.

    YAGNI

    Note that for nearly ALL use cases, declaring and configuring properties listed here is sufficient. You should NOT have to explicitly massage a CAS XML/Java/etc configuration file to design an authentication handler, create attribute release policies, etc. CAS at runtime will auto-configure all required changes for you. If you are unsure about the meaning of a given CAS setting, do NOT turn it on without hesitation. Review the codebase or better yet, ask questions to clarify the intended behavior.

    Naming Convention

    Property names can be specified in very relaxed terms. For instance cas.someProperty, cas.some-property, cas.some_property are all valid names. While all forms are accepted by CAS, there are certain components (in CAS and other frameworks used) whose activation at runtime is conditional on a property value, where this property is required to have been specified in CAS configuration using kebab case. This is both true for properties that are owned by CAS as well as those that might be presented to the system via an external library or framework such as Spring Boot, etc.

    :information_source: Note

    When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value. The only possible exception to this rule is when naming actuator endpoints; The name of the actuator endpoints (i.e. ssoSessions) MUST remain in camelCase mode.

    Settings and properties that are controlled by the CAS platform directly always begin with the prefix cas. All other settings are controlled and provided to CAS via other underlying frameworks and may have their own schemas and syntax. BE CAREFUL with the distinction. Unrecognized properties are rejected by CAS and/or frameworks upon which CAS depends. This means if you somehow misspell a property definition or fail to adhere to the dot-notation syntax and such, your setting is entirely refused by CAS and likely the feature it controls will never be activated in the way you intend.

    Validation

    Configuration properties are automatically validated on CAS startup to report issues with configuration binding, especially if defined CAS settings cannot be recognized or validated by the configuration schema. Additional validation processes are also handled via Configuration Metadata and property migrations applied automatically on startup by Spring Boot and family.

    Indexed Settings

    CAS settings able to accept multiple values are typically documented with an index, such as cas.some.setting[0]=value. The index [0] is meant to be incremented by the adopter to allow for distinct multiple configuration blocks.

    :information_source: Status

    Multitenancy is somewhat limited, new and is likely to evolve and change in future releases to support more use cases and capabilities for each tenant. Not every extension or feature in CAS may be immediately supported in a multitenant deployment.

    When multitenancy is enabled, registered tenants will each receive their own dedicated url to access CAS:

    

    1

    		

    /cas/tenants/{TENANT_ID}/...

    Furthermore, in some cases you may also be able to pass along the tenant id as a request header, and CAS will be able to resolve the tenant definition. This extraction logic is particularly employed for actuator endpoints that do support multitenancy:

    

    1
2
3

    		

    curl --location 
    'https://sso.example.org/cas/actuator/{ACTUATOR}' \
    --header 'X-Tenant-Id: {TENANT_ID}'

    Actuator Endpoints

    The following endpoints are provided by CAS:

     Remove a tenant definition by its id.

     Report registered tenant definitions.

     Report registered tenant definition by its id.

     Register or update a tenant definition.


    Tenant Registration

    Tenants are registered with CAS via a JSON file by default that is expected to be available at a well-known location and automatically watched for changes.

    The following settings and properties are available from the CAS configuration catalog:

    The configuration settings listed below are tagged as Required in the CAS configuration metadata. This flag indicates that the presence of the setting may be needed to activate or affect the behavior of the CAS feature and generally should be reviewed, possibly owned and adjusted. If the setting is assigned a default value, you do not need to strictly put the setting in your copy of the configuration, but should review it nonetheless to make sure it matches your deployment expectations.

  • cas.multitenancy.json.location=

    • The location of the resource. Resources can be URLs, or files found either on the classpath or outside somewhere in the file system.

    In the event the configured resource is a Groovy script, especially if the script is set to reload on changes, you may need to adjust the total number of inotify instances. On Linux, you may need to add the following line to /etc/sysctl.conf: fs.inotify.max_user_instances = 256.

    You can check the current value via cat /proc/sys/fs/inotify/max_user_instances.

    In situations and scenarios where CAS is able to automatically watch the underlying resource for changes and detect updates and modifications dynamically, you may be able to specify the following setting as either an environment variable or system property with a value of false to disable the resource watcher: org.apereo.cas.util.io.PathWatcherService.

    org.apereo.cas.configuration.model.SpringResourceProperties.

    How can I configure this property?

    The configuration settings listed below are tagged as Optional in the CAS configuration metadata. This flag indicates that the presence of the setting is not immediately necessary in the end-user CAS configuration, because a default value is assigned or the activation of the feature is not conditionally controlled by the setting value. In other words, you should only include this field in your configuration if you need to modify the default value or if you need to turn on the feature controlled by the setting.

    Configuration Metadata

    The collection of configuration properties listed in this section are automatically generated from the CAS source and components that contain the actual field definitions, types, descriptions, modules, etc. This metadata may not always be 100% accurate, or could be lacking details and sufficient explanations.

    Be Selective

    This section is meant as a guide only. Do NOT copy/paste the entire collection of settings into your CAS configuration; rather pick only the properties that you need. Do NOT enable settings unless you are certain of their purpose and do NOT copy settings into your configuration only to keep them as reference. All these ideas lead to upgrade headaches, maintenance nightmares and premature aging.

    YAGNI

    Note that for nearly ALL use cases, declaring and configuring properties listed here is sufficient. You should NOT have to explicitly massage a CAS XML/Java/etc configuration file to design an authentication handler, create attribute release policies, etc. CAS at runtime will auto-configure all required changes for you. If you are unsure about the meaning of a given CAS setting, do NOT turn it on without hesitation. Review the codebase or better yet, ask questions to clarify the intended behavior.

    Naming Convention

    Property names can be specified in very relaxed terms. For instance cas.someProperty, cas.some-property, cas.some_property are all valid names. While all forms are accepted by CAS, there are certain components (in CAS and other frameworks used) whose activation at runtime is conditional on a property value, where this property is required to have been specified in CAS configuration using kebab case. This is both true for properties that are owned by CAS as well as those that might be presented to the system via an external library or framework such as Spring Boot, etc.

    :information_source: Note

    When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value. The only possible exception to this rule is when naming actuator endpoints; The name of the actuator endpoints (i.e. ssoSessions) MUST remain in camelCase mode.

    Settings and properties that are controlled by the CAS platform directly always begin with the prefix cas. All other settings are controlled and provided to CAS via other underlying frameworks and may have their own schemas and syntax. BE CAREFUL with the distinction. Unrecognized properties are rejected by CAS and/or frameworks upon which CAS depends. This means if you somehow misspell a property definition or fail to adhere to the dot-notation syntax and such, your setting is entirely refused by CAS and likely the feature it controls will never be activated in the way you intend.

    Validation

    Configuration properties are automatically validated on CAS startup to report issues with configuration binding, especially if defined CAS settings cannot be recognized or validated by the configuration schema. Additional validation processes are also handled via Configuration Metadata and property migrations applied automatically on startup by Spring Boot and family.

    Indexed Settings

    CAS settings able to accept multiple values are typically documented with an index, such as cas.some.setting[0]=value. The index [0] is meant to be incremented by the adopter to allow for distinct multiple configuration blocks.

    The basic construct for a tenant definition should match the following:

    

    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

    		

    [
  "java.util.ArrayList",
  [
    {
      "@class": "org.apereo.cas.multitenancy.TenantDefinition",
      "id": "shire",
      "description": "This is my tenant description",
      "properties": {
        "@class": "java.util.LinkedHashMap",
        "key": "value"
      },
      "authenticationPolicy": {
        "@class": "org.apereo.cas.multitenancy.DefaultTenantAuthenticationPolicy",
        "authenticationHandlers": [ "java.util.ArrayList", [ "LdapAuthHandler1" ] ],
        "attributeRepositories": [ "java.util.ArrayList", [ "AttributeRepository1" ] ],
        "authenticationProtocolPolicy": {
          "@class": "org.apereo.cas.multitenancy.TenantCasAuthenticationProtocolPolicy",
          "supportedProtocols": [ "java.util.HashSet", [ "SAML1", "CAS20", "CAS30" ] ]
        }
      },
      "delegatedAuthenticationPolicy": {
        "@class": "org.apereo.cas.multitenancy.DefaultTenantDelegatedAuthenticationPolicy",
        "allowedProviders": [ "java.util.ArrayList", [ "..." ] ]
      },
      "userInterfacePolicy": {
        "@class": "org.apereo.cas.multitenancy.DefaultTenantUserInterfacePolicy",
        "themeName": "shire"
      }
    }
  ]
]

    Custom Tenant Registration

    If you need to customize the tenant registration process, you may do so by providing a custom implementation of the following bean definition:

    

    1
2
3
4

    		

    @Bean
public TenantsManager tenantsManager() {
    return new MyTenantsManager();
}

    See this guide to learn more about how to register configurations into the CAS runtime.

    Tenant Capabilities

    A registered tenant definition supports the following fields and capabilities:

    Field Description
    id Primary identifier for the tenant that forms the dedicated tenant URL.
    description Description of what this tenant is about.
    properties Map of CAS configuration properties effective for this tenant. Remember that not all properties are multitenant aware.
    authenticationPolicy Describes the criteria for primary authentication, list of allowed authentication handlers, etc.
    delegatedAuthenticationPolicy Describes the criteria for external authentication, list of allowed identity providers, etc.
    userInterfacePolicy Describes how the tenant should control settings relevant for user interface pages.

    Authentication Policy

    The tenant authentication policy supports the following fields:

    Field Description
    authenticationHandlers List of authentication handlers pre-built available to this tenant, invoked during authentication attempts.
    attributeRepositories List of attribute repositories pre-built available to this tenant, invoked during authentication attempts.

    CAS features and modules that are multitenant-aware also have the ability to build their own list of authentication handlers dynamically and on the fly without relying on the static list of authentication handlers that are bootstrapped during startup, noted via the authenticationHandlers field above.

    Custom authentication handlers that are built dynamically for each tenant may be defined using the following strategy:

    

    1
2
3
4
5
6
7

    		

    @Bean
public AuthenticationEventExecutionPlanConfigurer myTenantAuthentication() {
    return plan -> {
        var builder = new MyTenantAuthenticationHandlerBuilder(...);
        plan.registerTenantAuthenticationHandlerBuilder(builder);
    };
}

    See this guide to learn more about how to register configurations into the CAS runtime.

    Please check the documentation for each feature or module to see if it supports multitenancy.

    Attribute Resolution

    CAS features and modules that are multitenant-aware also have the ability to build their own list of attribute repositories dynamically and on the fly without relying on repository implementations that are bootstrapped during startup.

    Custom attribute repositories that are built dynamically for each tenant may be defined using the following strategy:

    

    1
2
3
4

    		

    @Bean
public TenantPersonAttributeDaoBuilder myTenantPersonAttributeDaoBuilder() {
    return new MyTenantPersonAttributeDaoBuilder(..);
}

    See this guide to learn more about how to register configurations into the CAS runtime.

    Please check the documentation for each feature or module to see if it supports multitenancy.

    Authentication Protocol Policy

    The tenant authentication protocol policy controls specific aspects of a CAS-supported authentication protocol. Each policy setting is captured inside a dedicated component that is responsible for managing the protocol settings and capabilities.

    • CAS: o.a.c.m.TenantCasAuthenticationProtocolPolicy
    Field Description
    supportedProtocols Set of supported authentication protocols that are owned by the CAS protocol.

    Delegated Authentication Policy

    The tenant delegated authentication policy controls aspects of CAS that support authentication via external identity providers.

    Field Description
    allowedProviders List of identity providers that are allowed and authorized for this tenant.

    User Interface Policy

    The tenant user interface policy controls per-tenant settings that describe a theme. The theme defined will allow CAS to pull the appropriate theme resource defined here.

    Furthermore, the theme definition is able to point to its own message bundle for various language keys:

    

    1
2
3
4
5
6
7
8
9

    		

    {
  "@class": "org.apereo.cas.multitenancy.TenantDefinition",
  "id": "shire",
  "description": "Example tenant",
  "properties": {
    "@class": "java.util.LinkedHashMap",
    "cas.message-bundle.base-names": "classpath:/shire_messages"
  }
}

    Note that the tenant language bundle may only define what it actually requires. It is not necessary to define the entire set of language keys that are available in the default CAS bundle. The default bundles are still picked up to fill in the gaps for any missing keys.

    Tenant Properties

    The tenant properties field is a map of CAS properties that are effective for this tenant. CAS features and modules that do support multitenancy are able to read this map and apply the properties to the tenant context. Examples here may include defining email server settings, authentication handler construction and more.

    Tenant definition properties may be defined and secured via CAS configuration security.

    :information_source: Remember

    Not every CAS configuration property is multitenant-aware, and this capability is limited to CAS features and modules that are explicitly designed to support multitenancy. Support for multitenancy is evolving and new features and support for more modules may be added in future releases. Please check the documentation for each feature or module to see if it supports multitenancy.

    The following examples are available:

    • The following tenant definition is allowed to define its email server:

      

      1
2
3
4
5
6
7
8
9
10
11
12
13
14

      		

      [
  "java.util.ArrayList",
  [
    {
      "@class": "org.apereo.cas.multitenancy.TenantDefinition",
      "id": "shire",
      "properties": {
        "@class": "java.util.LinkedHashMap",
        "spring.mail.host": "localhost",
        "spring.mail.port": 25000
      }
    }
  ]
]

    • The following tenant definition is allowed to define its LDAP authentication:

      

      1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

      		

      [
  "java.util.ArrayList",
  [
    {
      "@class": "org.apereo.cas.multitenancy.TenantDefinition",
      "id": "shire",
      "properties": {
        "@class": "java.util.LinkedHashMap",
        "cas.authn.ldap[0].type": "DIRECT",
        "cas.authn.ldap[0].dn-format": "uid=%s,ou=people,dc=example,dc=org",
        "cas.authn.ldap[0].ldap-url": "ldap://localhost:11389"
      }
    }
  ]
]

    • The following tenant definition is allowed to define its JDBC authentication:

      

      1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

      		

      [
  "java.util.ArrayList",
  [
    {
      "@class": "org.apereo.cas.multitenancy.TenantDefinition",
      "id": "shire",
      "properties": {
        "@class": "java.util.LinkedHashMap",
        "cas.authn.jdbc.procedure[0].procedure-name": "sp_authenticate",
        "cas.authn.jdbc.procedure[0].user": "postgres",
        "cas.authn.jdbc.procedure[0].password": "...",
        "cas.authn.jdbc.procedure[0].driver-class": "org.postgresql.Driver",
        "cas.authn.jdbc.procedure[0].url": "jdbc:postgresql://localhost:5432/users",
        "cas.authn.jdbc.procedure[0].dialect": "org.hibernate.dialect.PostgreSQLDialect"
      }
    }
  ]
]

    • The following tenant definition is allowed to define its external identity provider:

      

      1
2
3
4
5
6
7
8
9
10
11
12
13

      		

      [
  "java.util.ArrayList",
  [
    {
      "@class": "org.apereo.cas.multitenancy.TenantDefinition",
      "id": "shire",
      "properties": {
        "@class": "java.util.LinkedHashMap",
        "cas.authn.pac4j.cas[0].login-url": "https://sso.example.org/cas/login"
      }
    }
  ]
]

    • The following tenant definition will activate Multifactor Authentication based on Duo Security:

      

      1
2
3
4
5
6
7
8
9
10
11
12
13

      		

      [
  "java.util.ArrayList",
  [
    {
      "@class": "org.apereo.cas.multitenancy.TenantDefinition",
      "id": "shire",
      "properties": {
        "@class": "java.util.LinkedHashMap",
        "cas.authn.mfa.triggers.global.global-provider-id": "mfa-duo"
      }
    }
  ]
]

    • Configuration properties assigned to a tenant definition may be secured via CAS configuration security:

      

      1
2
3
4
5
6
7
8
9
10
11
12
13
14

      		

      [
  "java.util.ArrayList",
  [
    {
      "@class": "org.apereo.cas.multitenancy.TenantDefinition",
      "id": "shire",
      "description": "Shire tenant",
      "properties": {
        "@class": "java.util.LinkedHashMap",
        "cas.some.property": "{cas-cipher}xoLrkVhqnyAmMHqxWi3t+AcXf/w6Mg3bltpdP1kmG9E="
      }
    }
  ]
]

    • CAS employs a special filter that is able to map an incoming request to a tenant definition based on the Host header that is ultimately picked up by HttpServletRequest#getServerName(). A matching request will be routed to the appropriate tenant url.

      • If the Host header is given as sso.example.org, i.e. via a reverse proxy, the shire tenant definition will allow CAS to route requests from https://sso.example.org/cas/login to https://${cas.server.domain}/cas/tenants/shire/login.

      • If the Host header is given as sso.example.com, the london tenant definition will allow CAS to route requests from https://sso.example.org/cas/login to https://${cas.server.domain}/cas/tenants/london/login.

      

      1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

      		

      [
  "java.util.ArrayList",
  [
    {
      "@class": "org.apereo.cas.multitenancy.TenantDefinition",
      "id": "shire",
      "properties": {
        "@class": "java.util.LinkedHashMap",
        "cas.server.name": "https://sso.example.org"
      }
    },
    {
      "@class": "org.apereo.cas.multitenancy.TenantDefinition",
      "id": "london",
      "properties": {
        "@class": "java.util.LinkedHashMap",
        "cas.host.name": "sso.example.com"
      }
    }
  ]
]

      This setup is useful in scenarios where there is a reverse proxy that sits in front of CAS and is able to route traffic for predefined hosts to CAS tenants. For example, the setup below for nginx, combined with the tenant definitions, allows CAS to route traffic for sso.example.com to the london tenant definition that carries its own host name noted above:

      

      1
2
3
4
5
6
7

      		

      location /cas {
    proxy_pass https://cas.example.org:8443;
    proxy_set_header Host "sso.example.com";
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_cookie_path /cas/tenants/london /cas;
}
      :information_source: Note

      Make note of the proxy_cookie_path setting which rewrite the cookie path for this tenant. This is required because the cookie path is always scoped to the tenant URL by CAS, and subsequently may not be made available to the browser since original request is passing through a reverse proxy.

      You can build your own tenant routing and filtering mechanism via the following bean definition:

      

      1
2
3
4
5
6
7
8

      		

      @Bean
public FilterRegistrationBean tenantRoutingFilter() {
    var fr = new FilterRegistrationBean<MyTenantRoutingFilter>();
    /*
        fr.setFilter(new MyTenantRoutingFilter());
    */
    return fr;
}

    • The following tenant definition is allowed to define its own attribute consent storage via MongoDb.

      Depending on your choice of storage, the proper extension module must be included in your CAS deployment. As ever, please verify that the module does actually support multitenancy.

      

      1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

      		

      [
  "java.util.ArrayList",
  [
    {
      "@class": "org.apereo.cas.multitenancy.TenantDefinition",
      "id": "shire",
      "properties": {
        "@class": "java.util.LinkedHashMap",
        "cas.consent.mongo.host": "localhost",
        "cas.consent.mongo.port": "27017",
        "cas.consent.mongo.user-id": "...",
        "cas.consent.mongo.password": "...",
        "cas.consent.mongo.collection": "TenantsConsentRepository",
        "cas.consent.mongo.authentication-database-name": "admin",
        "cas.consent.mongo.database-name": "consent"
      }
    }
  ]
]

      In the event that the tenant does not specify its own attribute consent storage, the default storage defined globally in the CAS configuration for the entire CAS deployment will be used.

    Notes on Performance

    The current multitenant design resolves the tenant at runtime and dynamically builds the resource access path needed for that tenant. The target resource may be a JDBC database, REST API, LDAP directory, message broker, remote service, or another tenant-specific integration point. This keeps the system flexible and avoids eagerly registering a large number of tenant-specific Spring components, especially when tenants may each choose different endpoints, credentials, protocols, storage backends, or operational policies. It also avoids assuming that all tenants are active at the same time.

    The main caveat with this design is performance under concurrent activity. If each tenant operation creates a new resource client, establishes a connection, authenticates, executes the operation, and then immediately tears everything down, the system repeatedly pays the cost of setup and cleanup. Depending on the resource type, this overhead may include TCP connection establishment, TLS negotiation, authentication or bind operations, connection validation, session initialization, client construction, metadata discovery, and remote service cleanup. For a small number of tenants with light or sporadic usage, this may be acceptable. However, with moderately active tenants, especially when CAS flows perform multiple tenant-backed operations per request, repeated setup and teardown can introduce latency spikes and increase load on both CAS and the downstream tenant resources.

    For a deployment with a relatively small number of tenants, such as around 20, the current approach can be viable if traffic is moderate, resource setup is fast, downstream systems are nearby and reliable, and the number of tenant-specific operations per CAS request is low. That said, the risk increases with concurrent logins, service lookups, consent checks, profile lookups, attribute resolution, audit writes, or other operations that occur during authentication and protocol flows. The determining factor is less the total number of configured tenants and more the number of active tenants, concurrent requests per tenant, tenant-specific operations per request, and the average and tail latency of each full setup/operation/teardown cycle.

    A possible future improvement is to retain the dynamic tenant-resolution model but avoid tearing down expensive resource infrastructure immediately after every operation. Instead, CAS could use a lazy, bounded, tenant-aware registry or cache for resource clients and connection-capable components. Tenant-specific resources would be created only when first needed, reused while the tenant remains active, and closed after an idle timeout, health failure, configura tion change, or cache eviction. For resources that support pooling, such as JDBC, LDAP, HTTP, or messaging clients, small pools with conservative limits can allow active tenants to benefit from reuse while preventing inactive tenants from consuming resources indefinitely.

    This future possible approach provides a better balance between flexibility and performance. It avoids the cost and complexity of eagerly registering every possible tenant resource as a Spring bean, while also avoiding the latency and churn of creating and destroying expensive clients or connections on every request. Over time, the implementation can be enhanced with global resource limits, idle eviction, per-tenant metrics, health checks, circuit breakers for unhealthy downstream systems, connection and request timeout controls, configuration refresh support, secret rotation support, and operational safeguards to prevent one tenant from exhausting shared CAS resources or overwhelming downstream services.

    We might consider improving this design in future iterations based on community demand and deployment experience.