When setting up Apereo CAS to delegate authentication to external identity providers, one common consideration is to determine whether requests sent to the identity provider should be made manually or automatically and to evaluate the user experience for each case. There are at least three options to consider here:
In this blog post, we will briefly review the configuration required to redirect to delegated identity providers and ways we can modify the system to handle automatic redirects.
Our starting position is as follows:
6.6.x
11
Let’s start with the basic premise that our CAS server is prepped for external (delegated) authentication and that our external identity provider is Azure Active Directory with which we shall interact via the SAML2 protocol:
cas.authn.pac4j.saml[0].keystore-password=...
cas.authn.pac4j.saml[0].private-key-password=...
cas.authn.pac4j.saml[0].service-provider-entity-id=https://sso.example.org/cas/samlsp
cas.authn.pac4j.saml[0].service-provider.file-system.location=/etc/cas/config/sp-metadata.xml
cas.authn.pac4j.saml[0].keystore-path=/etc/cas/config/samlKeystore.jks
cas.authn.pac4j.saml[0].identity-provider-metadata-path=https://login.microsoftonline.com/...
cas.authn.pac4j.saml[0].client-name=SAML2Client
Now, let’s decide how to redirect to Azure AD.
The default configuration and setup always allow the user to make the selection from a menu:
This is useful in scenarios where you want to present all authentication options to the user.
It is possible to also instruct CAS to automatically redirect to Azure AD. The browser could be instructed to execute the redirect, allowing the user the visibility to see the redirect with a little bit of visual clue and instructive text, i.e. Please wait while we redirect you…. This option can be achieved by the following setting:
cas.authn.pac4j.saml[0].auto-redirect-type=CLIENT
The opposite option is also possible, where CAS is instructed to automatically redirect to Azure AD on the server side, thereby making itself completely invisible to the enduser. This option can be achieved by the following setting:
cas.authn.pac4j.saml[0].auto-redirect-type=SERVER
If you have questions about the contents and the topic of this blog post, or if you need additional guidance and support, feel free to send us a note and ask about consulting and support services.
I hope this review was of some help to you and I am sure that both this post as well as the functionality it attempts to explain can be improved in any number of ways. Please feel free to engage and contribute as best as you can.
Happy Coding,
Monday-Friday
9am-6pm, Central European Time
7am-1pm, U.S. Eastern Time
Monday-Friday
9am-6pm, Central European Time