When Apereo CAS is configured to hand off the authentication flow to external identity providers, one use case that often pops up is the ability to auto-select the appropriate identity provider based on user affiliations, scope, or tenancy. In simple scenarios, this selection logic is keyed off of the user identifier. For example, the SSO system should be able to auto-select
GitHub as the external identity provider, if the user’s given identifier is in the format of
firstname.lastname@example.org and so on.
This post describes a modest enhancement to the CAS user interface to allow automatic selection of the correct identity provider based on user identifiers.
Our starting position is as follows:
Let’s suppose that a given CAS server is configured to hand off the authentication flow to the following external identity providers:
To handle automatic selection of the correct identity provider, we can start by customizing the
It is important to emphasize that this is a modest user interface enhancement, mostly designed as a matter of convenience to the user and the overall user experience. Other variations of this flow that force the server to execute authorization logic to determine the user’s home identity provider without providing a selection menu can not be handled via client-side enhancements in a secure way and must be pushed back to the backend server.
I hope this review was of some help to you and I am sure that both this post as well as the functionality it attempts to explain can be improved in any number of ways. Please feel free to engage and contribute as best as you can.