Apereo CAS - Delegated Authentication & Identity Provider Auto Redirection

Posted by Misagh Moayyed on May 05, 2023 · 4 mins read ·
Content Unavailable
Your browser is blocking content on this website. Please check your browser settings and try again.

When setting up Apereo CAS to delegate authentication to external identity providers, one common consideration is to determine whether requests sent to the identity provider should be made manually or automatically and to evaluate the user experience for each case. There are at least three options to consider here:

  1. Allow the user to make the selection manually.
  2. Redirect automatically via the browser, with appropriate messaging on the screen that instructs the user to wait while the flow is being redirected to an external website.
  3. Redirect automatically to the identity provider via the server, effectively turning CAS into an invisible proxy.

In this blog post, we will briefly review the configuration required to redirect to delegated identity providers and ways we can modify the system to handle automatic redirects.

Our starting position is as follows:

  • CAS 6.6.x
  • Java 11

Initial Setup

Let’s start with the basic premise that our CAS server is prepped for external (delegated) authentication and that our external identity provider is Azure Active Directory with which we shall interact via the SAML2 protocol:

cas.authn.pac4j.saml[0].keystore-password=...
cas.authn.pac4j.saml[0].private-key-password=...
cas.authn.pac4j.saml[0].service-provider-entity-id=https://sso.example.org/cas/samlsp
cas.authn.pac4j.saml[0].service-provider.file-system.location=/etc/cas/config/sp-metadata.xml
cas.authn.pac4j.saml[0].keystore-path=/etc/cas/config/samlKeystore.jks
cas.authn.pac4j.saml[0].identity-provider-metadata-path=https://login.microsoftonline.com/...
cas.authn.pac4j.saml[0].client-name=SAML2Client

Now, let’s decide how to redirect to Azure AD.

User Selection

The default configuration and setup always allow the user to make the selection from a menu:

This is useful in scenarios where you want to present all authentication options to the user.

Browser (Client) Redirects

It is possible to also instruct CAS to automatically redirect to Azure AD. The browser could be instructed to execute the redirect, allowing the user the visibility to see the redirect with a little bit of visual clue and instructive text, i.e. Please wait while we redirect you…. This option can be achieved by the following setting:

cas.authn.pac4j.saml[0].auto-redirect-type=CLIENT

Server Redirects

The opposite option is also possible, where CAS is instructed to automatically redirect to Azure AD on the server side, thereby making itself completely invisible to the enduser. This option can be achieved by the following setting:

cas.authn.pac4j.saml[0].auto-redirect-type=SERVER

Need Help?

If you have questions about the contents and the topic of this blog post, or if you need additional guidance and support, feel free to send us a note and ask about consulting and support services.

So…

I hope this review was of some help to you and I am sure that both this post as well as the functionality it attempts to explain can be improved in any number of ways. Please feel free to engage and contribute as best as you can.

Happy Coding,

Misagh Moayyed
← Previous Post Next Post