Apereo CAS - Delegated Authentication w/ Identity Provider Discovery

Posted by Misagh Moayyed on September 13, 2021 · 6 mins read ·

Apereo CAS has had support to delegate authentication to external identity providers for quite some time. Of course, delegation is just a fancy word that ultimately means, whether automatically or at the click of a button, the browser is expected to redirect the user to the appropriate identity provider endpoint, and on the return trip back, CAS is tasked to shake hands, parse the response and extract attributes, etc to establish an authentication session, issue tickets, etc. Delegated authentication is also known as proxy authentication, though it should be noted that true proxy authentication could also mean something completely different when used in the context of the CAS protocol.

The discovery and selection strategy of such identity providers can be done in multiple ways. In this blog post, we will briefly review the configuration required to present identity providers to CAS and have users select one based on different and dynamic parameters.

Our starting position is as follows:

  • CAS 6.5.x
  • Java 11

Menu Selection

By default, the CAS strategy is to present what one might refer to as the NASCAR page; a selection menu that lists all available and authorized identity providers. This is the most common option where you get to pick and choose the provider you like:

Of course, the selection menu is static. That is, all options are presented at once and the system is not able to tailor the user experience to a specific identity provider more dynamically based on additional rules and settings. This is where dynamic discovery comes into effect.

Dynamic Discovery

To allow CAS to switch to the dynamic identity provider selection mode, we’ll need to activate the option first using the following setting:


When dynamic identity provider selection is activated, CAS allows the user to enter the selection screen rather than listing all available options as before:

In dynamic discovery, CAS would begin to select a specific identity provider based on user input, such as a username or email address. Predefined rules would then determine the proper identity provider to choose based on that user property. Here, the selection screen allows the user to provide an identifier based on which the ultimate identity provider would be determined:

By default, the identity provider selection rules are expected to be found in a JSON resource:


Here is an example that allows CAS to select the identity provider SAML2Client if the given user input matches the regular expression pattern .+@example.org:

    "@class" : "java.util.HashMap",
    ".+@example.org" : {
      "@class" : "org.apereo.cas.pac4j.discovery.DelegatedAuthenticationDynamicDiscoveryProvider",
      "clientName" : "SAML2Client",
      "order": 0

Of course, the strategy used to locate the identity provider can be completely customized using the following Spring @Bean:

public DelegatedAuthenticationDynamicDiscoveryProviderLocator myLocator() {
    return new CustomLocator();

Need Help?

If you have questions about the contents and the topic of this blog post, or if you need additional guidance and support, feel free to send us a note and ask about consulting and support services.


I hope this review was of some help to you and I am sure that both this post as well as the functionality it attempts to explain can be improved in any number of ways. Please feel free to engage and contribute as best as you can.

Happy Coding,

Misagh Moayyed