Multitenancy

CAS supports the notion of multitenancy, where a single CAS server can be used to isolate parts of its configuration and policies per each tenant that is assigned to a unique url to interact with the CAS server. Each tenant registered with CAS may have its own set of capabilities such as authentication strategy and policies. Support for multitenancy is baked into CAS as a first class citizen and you will need to configure CAS to enable the feature, register your tenants and define their capabilities.

The following settings and properties are available from the CAS configuration catalog:

The configuration settings listed below are tagged as Required in the CAS configuration metadata. This flag indicates that the presence of the setting may be needed to activate or affect the behavior of the CAS feature and generally should be reviewed, possibly owned and adjusted. If the setting is assigned a default value, you do not need to strictly put the setting in your copy of the configuration, but should review it nonetheless to make sure it matches your deployment expectations.

The configuration settings listed below are tagged as Optional in the CAS configuration metadata. This flag indicates that the presence of the setting is not immediately necessary in the end-user CAS configuration, because a default value is assigned or the activation of the feature is not conditionally controlled by the setting value. In other words, you should only include this field in your configuration if you need to modify the default value or if you need to turn on the feature controlled by the setting.

  • cas.multitenancy.core.enabled=false
  • Enable multitenancy support.

    org.apereo.cas.configuration.model.support.multitenancy.MultitenancyCoreProperties.

    How can I configure this property?

    Configuration Metadata

    The collection of configuration properties listed in this section are automatically generated from the CAS source and components that contain the actual field definitions, types, descriptions, modules, etc. This metadata may not always be 100% accurate, or could be lacking details and sufficient explanations.

    Be Selective

    This section is meant as a guide only. Do NOT copy/paste the entire collection of settings into your CAS configuration; rather pick only the properties that you need. Do NOT enable settings unless you are certain of their purpose and do NOT copy settings into your configuration only to keep them as reference. All these ideas lead to upgrade headaches, maintenance nightmares and premature aging.

    YAGNI

    Note that for nearly ALL use cases, declaring and configuring properties listed here is sufficient. You should NOT have to explicitly massage a CAS XML/Java/etc configuration file to design an authentication handler, create attribute release policies, etc. CAS at runtime will auto-configure all required changes for you. If you are unsure about the meaning of a given CAS setting, do NOT turn it on without hesitation. Review the codebase or better yet, ask questions to clarify the intended behavior.

    Naming Convention

    Property names can be specified in very relaxed terms. For instance cas.someProperty, cas.some-property, cas.some_property are all valid names. While all forms are accepted by CAS, there are certain components (in CAS and other frameworks used) whose activation at runtime is conditional on a property value, where this property is required to have been specified in CAS configuration using kebab case. This is both true for properties that are owned by CAS as well as those that might be presented to the system via an external library or framework such as Spring Boot, etc.

    :information_source: Note

    When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value. The only possible exception to this rule is when naming actuator endpoints; The name of the actuator endpoints (i.e. ssoSessions) MUST remain in camelCase mode.

    Settings and properties that are controlled by the CAS platform directly always begin with the prefix cas. All other settings are controlled and provided to CAS via other underlying frameworks and may have their own schemas and syntax. BE CAREFUL with the distinction. Unrecognized properties are rejected by CAS and/or frameworks upon which CAS depends. This means if you somehow misspell a property definition or fail to adhere to the dot-notation syntax and such, your setting is entirely refused by CAS and likely the feature it controls will never be activated in the way you intend.

    Validation

    Configuration properties are automatically validated on CAS startup to report issues with configuration binding, especially if defined CAS settings cannot be recognized or validated by the configuration schema. Additional validation processes are also handled via Configuration Metadata and property migrations applied automatically on startup by Spring Boot and family.

    Indexed Settings

    CAS settings able to accept multiple values are typically documented with an index, such as cas.some.setting[0]=value. The index [0] is meant to be incremented by the adopter to allow for distinct multiple configuration blocks.

    :information_source: Status

    Multitenancy is somewhat limited, new and is likely to evolve and change in future releases to support more use cases and capabilities for each tenant. Not every extension or feature in CAS may be immediately supported in a multitenant deployment.

    When multitenancy is enabled, registered tenants will each receive their own dedicated url to access CAS:

    1
    
    /cas/tenants/{TENANT_ID}/...
    

    Actuator Endpoints

    The following endpoints are provided by CAS:

     Report registered tenant definition by its id.

     Report registered tenant definitions.


    Tenant Registration

    Tenants are registered with CAS via a JSON file by default that is expected to be available at a well-known location and automatically watched for changes.

    The following settings and properties are available from the CAS configuration catalog:

    The configuration settings listed below are tagged as Required in the CAS configuration metadata. This flag indicates that the presence of the setting may be needed to activate or affect the behavior of the CAS feature and generally should be reviewed, possibly owned and adjusted. If the setting is assigned a default value, you do not need to strictly put the setting in your copy of the configuration, but should review it nonetheless to make sure it matches your deployment expectations.

  • cas.multitenancy.json.location=
  • The location of the resource. Resources can be URLs, or files found either on the classpath or outside somewhere in the file system.

    In the event the configured resource is a Groovy script, especially if the script is set to reload on changes, you may need to adjust the total number of inotify instances. On Linux, you may need to add the following line to /etc/sysctl.conf: fs.inotify.max_user_instances = 256.

    You can check the current value via cat /proc/sys/fs/inotify/max_user_instances.

    In situations and scenarios where CAS is able to automatically watch the underlying resource for changes and detect updates and modifications dynamically, you may be able to specify the following setting as either an environment variable or system property with a value of false to disable the resource watcher: org.apereo.cas.util.io.PathWatcherService.

    org.apereo.cas.configuration.model.SpringResourceProperties.

    How can I configure this property?

    The configuration settings listed below are tagged as Optional in the CAS configuration metadata. This flag indicates that the presence of the setting is not immediately necessary in the end-user CAS configuration, because a default value is assigned or the activation of the feature is not conditionally controlled by the setting value. In other words, you should only include this field in your configuration if you need to modify the default value or if you need to turn on the feature controlled by the setting.

    Configuration Metadata

    The collection of configuration properties listed in this section are automatically generated from the CAS source and components that contain the actual field definitions, types, descriptions, modules, etc. This metadata may not always be 100% accurate, or could be lacking details and sufficient explanations.

    Be Selective

    This section is meant as a guide only. Do NOT copy/paste the entire collection of settings into your CAS configuration; rather pick only the properties that you need. Do NOT enable settings unless you are certain of their purpose and do NOT copy settings into your configuration only to keep them as reference. All these ideas lead to upgrade headaches, maintenance nightmares and premature aging.

    YAGNI

    Note that for nearly ALL use cases, declaring and configuring properties listed here is sufficient. You should NOT have to explicitly massage a CAS XML/Java/etc configuration file to design an authentication handler, create attribute release policies, etc. CAS at runtime will auto-configure all required changes for you. If you are unsure about the meaning of a given CAS setting, do NOT turn it on without hesitation. Review the codebase or better yet, ask questions to clarify the intended behavior.

    Naming Convention

    Property names can be specified in very relaxed terms. For instance cas.someProperty, cas.some-property, cas.some_property are all valid names. While all forms are accepted by CAS, there are certain components (in CAS and other frameworks used) whose activation at runtime is conditional on a property value, where this property is required to have been specified in CAS configuration using kebab case. This is both true for properties that are owned by CAS as well as those that might be presented to the system via an external library or framework such as Spring Boot, etc.

    :information_source: Note

    When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value. The only possible exception to this rule is when naming actuator endpoints; The name of the actuator endpoints (i.e. ssoSessions) MUST remain in camelCase mode.

    Settings and properties that are controlled by the CAS platform directly always begin with the prefix cas. All other settings are controlled and provided to CAS via other underlying frameworks and may have their own schemas and syntax. BE CAREFUL with the distinction. Unrecognized properties are rejected by CAS and/or frameworks upon which CAS depends. This means if you somehow misspell a property definition or fail to adhere to the dot-notation syntax and such, your setting is entirely refused by CAS and likely the feature it controls will never be activated in the way you intend.

    Validation

    Configuration properties are automatically validated on CAS startup to report issues with configuration binding, especially if defined CAS settings cannot be recognized or validated by the configuration schema. Additional validation processes are also handled via Configuration Metadata and property migrations applied automatically on startup by Spring Boot and family.

    Indexed Settings

    CAS settings able to accept multiple values are typically documented with an index, such as cas.some.setting[0]=value. The index [0] is meant to be incremented by the adopter to allow for distinct multiple configuration blocks.

    The basic construct for a tenant definition should match the following:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    
    [
      "java.util.ArrayList",
      [
        {
          "@class": "org.apereo.cas.multitenancy.TenantDefinition",
          "id": "shire",
          "description": "This is my tenant description",
          "properties": {
            "@class": "java.util.LinkedHashMap",
            "key": "value"
          },
          "authenticationPolicy": {
            "@class": "org.apereo.cas.multitenancy.DefaultTenantAuthenticationPolicy",
            "authenticationHandlers": [ "java.util.ArrayList", [ "LdapAuthHandler1" ] ],
            "attributeRepositories": [ "java.util.ArrayList", [ "AttributeRepository1" ] ],
            "authenticationProtocolPolicy": {
              "@class": "org.apereo.cas.multitenancy.TenantCasAuthenticationProtocolPolicy",
              "supportedProtocols": [ "java.util.HashSet", [ "SAML1", "CAS20", "CAS30" ] ]
            }
          },
          "delegatedAuthenticationPolicy": {
            "@class": "org.apereo.cas.multitenancy.DefaultTenantDelegatedAuthenticationPolicy",
            "allowedProviders": [ "java.util.ArrayList", [ "..." ] ]
          },
          "userInterfacePolicy": {
            "@class": "org.apereo.cas.multitenancy.DefaultTenantUserInterfacePolicy",
            "themeName": "shire"
          }
        }
      ]
    ]
    

    Custom Tenant Registration

    If you need to customize the tenant registration process, you may do so by providing a custom implementation of the following bean definition:

    1
    2
    3
    4
    
    @Bean
    public TenantsManager tenantsManager() {
        return new MyTenantsManager();
    }
    

    See this guide to learn more about how to register configurations into the CAS runtime.

    Tenant Capabilities

    A registered tenant definition supports the following fields and capabilities:

    Field Description
    id Primary identifier for the tenant that forms the dedicated tenant URL.
    description Description of what this tenant is about.
    properties Map of CAS configuration properties effective for this tenant. Remember that not all properties are multitenant aware.
    authenticationPolicy Describes the criteria for primary authentication, list of allowed authentication handlers, etc.
    delegatedAuthenticationPolicy Describes the criteria for external authentication, list of allowed identity providers, etc.
    userInterfacePolicy Describes how the tenant should control settings relevant for user interface pages.

    Authentication Policy

    The tenant authentication policy supports the following fields:

    Field Description
    authenticationHandlers List of authentication handlers pre-built available to this tenant, invoked during authentication attempts.
    attributeRepositories List of attribute repositories pre-built available to this tenant, invoked during authentication attempts.

    CAS features and modules that are multitenant-aware also have the ability to build their own list of authentication handlers dynamically and on the fly without relying on the static list of authentication handlers that are bootstrapped during startup, noted via the authenticationHandlers field above.

    Custom authentication handlers that are built dynamically for each tenant may be defined using the following strategy:

    1
    2
    3
    4
    5
    6
    7
    
    @Bean
    public AuthenticationEventExecutionPlanConfigurer myTenantAuthentication() {
        return plan -> {
            var builder = new MyTenantAuthenticationHandlerBuilder(...);
            plan.registerTenantAuthenticationHandlerBuilder(builder);
        };
    }
    

    See this guide to learn more about how to register configurations into the CAS runtime.

    Please check the documentation for each feature or module to see if it supports multitenancy.

    Attribute Resolution

    CAS features and modules that are multitenant-aware also have the ability to build their own list of attribute repositories dynamically and on the fly without relying on repository implementations that are bootstrapped during startup.

    Custom attribute repositories that are built dynamically for each tenant may be defined using the following strategy:

    1
    2
    3
    4
    
    @Bean
    public TenantPersonAttributeDaoBuilder myTenantPersonAttributeDaoBuilder() {
        return new MyTenantPersonAttributeDaoBuilder(..);
    }
    

    See this guide to learn more about how to register configurations into the CAS runtime.

    Please check the documentation for each feature or module to see if it supports multitenancy.

    Authentication Protocol Policy

    The tenant authentication protocol policy controls specific aspects of a CAS-supported authentication protocol. Each policy setting is captured inside a dedicated component that is responsible for managing the protocol settings and capabilities.

    • CAS: o.a.c.m.TenantCasAuthenticationProtocolPolicy
    Field Description
    supportedProtocols Set of supported authentication protocols that are owned by the CAS protocol.

    Delegated Authentication Policy

    The tenant delegated authentication policy controls aspects of CAS that support authentication via external identity providers.

    Field Description
    allowedProviders List of identity providers that are allowed and authorized for this tenant.

    User Interface Policy

    The tenant user interface policy controls per-tenant settings that describe a theme. The theme defined will allow CAS to pull the appropriate theme resource defined here.

    Furthermore, the theme definition is able to point to its own message bundle for various language keys:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    
    {
      "@class": "org.apereo.cas.multitenancy.TenantDefinition",
      "id": "shire",
      "description": "Example tenant",
      "properties": {
        "@class": "java.util.LinkedHashMap",
        "cas.message-bundle.base-names": "classpath:/shire_messages"
      }
    }
    

    Note that the tenant language bundle may only define what it actually requires. It is not necessary to define the entire set of language keys that are available in the default CAS bundle. The default bundles are still picked up to fill in the gaps for any missing keys.

    Tenant Properties

    The tenant properties field is a map of CAS properties that are effective for this tenant. CAS features and modules that do support multitenancy are able to read this map and apply the properties to the tenant context. Examples here may include defining email server settings, authentication handler construction and more.

    Tenant definition properties may be defined and secured via CAS configuration security.

    :information_source: Remember

    Not every CAS configuration property is multitenant-aware, and this capability is limited to CAS features and modules that are explicitly designed to support multitenancy. Support for multitenancy is evolving and new features and support for more modules may be added in future releases. Please check the documentation for each feature or module to see if it supports multitenancy.

    The following examples are available:

    • The following tenant definition is allowed to define its email server:

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      
      [
        "java.util.ArrayList",
        [
          {
            "@class": "org.apereo.cas.multitenancy.TenantDefinition",
            "id": "shire",
            "properties": {
              "@class": "java.util.LinkedHashMap",
              "spring.mail.host": "localhost",
              "spring.mail.port": 25000
            }
          }
        ]
      ]
      
    • The following tenant definition is allowed to define its LDAP authentication:

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
      
      [
        "java.util.ArrayList",
        [
          {
            "@class": "org.apereo.cas.multitenancy.TenantDefinition",
            "id": "shire",
            "properties": {
              "@class": "java.util.LinkedHashMap",
              "cas.authn.ldap[0].type": "DIRECT",
              "cas.authn.ldap[0].dn-format": "uid=%s,ou=people,dc=example,dc=org",
              "cas.authn.ldap[0].ldap-url": "ldap://localhost:11389"
            }
          }
        ]
      ]
      
    • The following tenant definition is allowed to define its JDBC authentication:

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      
      [
        "java.util.ArrayList",
        [
          {
            "@class": "org.apereo.cas.multitenancy.TenantDefinition",
            "id": "shire",
            "properties": {
              "@class": "java.util.LinkedHashMap",
              "cas.authn.jdbc.procedure[0].procedure-name": "sp_authenticate",
              "cas.authn.jdbc.procedure[0].user": "postgres",
              "cas.authn.jdbc.procedure[0].password": "...",
              "cas.authn.jdbc.procedure[0].driver-class": "org.postgresql.Driver",
              "cas.authn.jdbc.procedure[0].url": "jdbc:postgresql://localhost:5432/users",
              "cas.authn.jdbc.procedure[0].dialect": "org.hibernate.dialect.PostgreSQLDialect"
            }
          }
        ]
      ]
      
    • The following tenant definition is allowed to define its external identity provider:

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      
      [
        "java.util.ArrayList",
        [
          {
            "@class": "org.apereo.cas.multitenancy.TenantDefinition",
            "id": "shire",
            "properties": {
              "@class": "java.util.LinkedHashMap",
              "cas.authn.pac4j.cas[0].login-url": "https://sso.example.org/cas/login"
            }
          }
        ]
      ]
      
    • The following tenant definition will activate Multifactor Authentication based on Duo Security:

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      
      [
        "java.util.ArrayList",
        [
          {
            "@class": "org.apereo.cas.multitenancy.TenantDefinition",
            "id": "shire",
            "properties": {
              "@class": "java.util.LinkedHashMap",
              "cas.authn.mfa.triggers.global.global-provider-id": "mfa-duo"
            }
          }
        ]
      ]
      
    • Configuration properties assigned to a tenant definition may be secured via CAS configuration security:

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      
      [
        "java.util.ArrayList",
        [
          {
            "@class": "org.apereo.cas.multitenancy.TenantDefinition",
            "id": "shire",
            "description": "Shire tenant",
            "properties": {
              "@class": "java.util.LinkedHashMap",
              "cas.some.property": "{cas-cipher}xoLrkVhqnyAmMHqxWi3t+AcXf/w6Mg3bltpdP1kmG9E="
            }
          }
        ]
      ]
      
    • CAS employs a special filter that is able to map an incoming request to a tenant definition based on the Host header that is ultimately picked up by HttpServletRequest#getServerName(). A matching request will be routed to the appropriate tenant url.

      • If the Host header is given as sso.example.org, i.e. via a reverse proxy, the shire tenant definition will allow CAS to route requests from https://sso.example.org/cas/login to https://${cas.server.domain}/cas/tenants/shire/login.

      • If the Host header is given as sso.example.com, the london tenant definition will allow CAS to route requests from https://sso.example.org/cas/login to https://${cas.server.domain}/cas/tenants/london/login.

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      19
      20
      21
      
      [
        "java.util.ArrayList",
        [
          {
            "@class": "org.apereo.cas.multitenancy.TenantDefinition",
            "id": "shire",
            "properties": {
              "@class": "java.util.LinkedHashMap",
              "cas.server.name": "https://sso.example.org"
            }
          },
          {
            "@class": "org.apereo.cas.multitenancy.TenantDefinition",
            "id": "london",
            "properties": {
              "@class": "java.util.LinkedHashMap",
              "cas.host.name": "sso.example.com"
            }
          }
        ]
      ]
      

      This setup is useful in scenarios where there is a reverse proxy that sits in front of CAS and is able to route traffic for predefined hosts to CAS tenants. For example, the setup below for nginx, combined with the tenant definitions, allows CAS to route traffic for sso.example.com to the london tenant definition that carries its own host name noted above:

      1
      2
      3
      4
      5
      6
      7
      
      location /cas {
          proxy_pass https://cas.example.org:8443;
          proxy_set_header Host "sso.example.com";
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_cookie_path /cas/tenants/london /cas;
      }
      
      :information_source: Note

      Make note of the proxy_cookie_path setting which rewrite the cookie path for this tenant. This is required because the cookie path is always scoped to the tenant URL by CAS, and subsequently may not be made available to the browser since original request is passing through a reverse proxy.

      You can build your own tenant routing and filtering mechanism via the following bean definition:

      1
      2
      3
      4
      5
      6
      7
      8
      
      @Bean
      public FilterRegistrationBean tenantRoutingFilter() {
          var fr = new FilterRegistrationBean<MyTenantRoutingFilter>();
          /*
              fr.setFilter(new MyTenantRoutingFilter());
          */
          return fr;
      }