Thank you Ray for your reply. I was able to configure authentication resolution strategy to stop login attempt of external users via LDAP but there is not method for me to redirect user to appropriate IDP based on domain name with this.
Regards, Gautham On Tuesday, April 15, 2025 at 10:08:45 PM UTC-5 Ray Bon wrote: > Gautham, > > Cas processes the authentication methods in the order they are listed in > the config. If local ldap is last, all others will have to fail before it > is tried. > > https://apereo.github.io/cas/7.1.x/authentication/Configuring-Authentication-Components.html#authentication-sequence > You can also assign an order to each method. > > Or user authentication resolution strategy rather than authentication > policy. > > https://apereo.github.io/cas/7.1.x/authentication/Configuring-Authentication-Resolution.html > > Ray > ------------------------------ > *From:* cas-...@apereo.org <cas-...@apereo.org> on behalf of gautham > jampala <gauta...@gmail.com> > *Sent:* April 9, 2025 09:02 > *To:* cas-...@apereo.org <cas-...@apereo.org> > *Subject:* [cas-user] CAS 7.1.4 Limit Delegation/Proxy user from using > basic Auth LDAP > > You don't often get email from gauta...@gmail.com. Learn why this is > important <https://aka.ms/LearnAboutSenderIdentification> > Hello, > > I have 2 primary modes of authentication, one being an inhouse LDAP where > username and passwords are stored for internal users and another Microsoft > Entra(There could be multiple, basically each company having one) for some > external users. I have both flows running properly. I want to stop external > users from logging in via LDAP. Ideally if an external user enters their > email and password, I want CAS to redirect them to the appropriate Entra > url based on their domain name. > > I did setup a: > cas.authn.policy.groovy[0].script=file:/authRouting.groovy > > where I return an exception if the user is external, but this script is > called after LDAP authentication is successful and only returns an abstract > message that the user is not authenticated. > > Are there any other properties that I could use to redirect user based on > their domain name to different authentication action > > Thank you, > Gautham > > -- > - Website: https://apereo.github.io/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+u...@apereo.org. > To view this discussion visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABhcCS1FdWAtQBAsFVpvvGOCi%3DrPY48f9JLaKrpZb1d5Y%3DW06A%40mail.gmail.com > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CABhcCS1FdWAtQBAsFVpvvGOCi%3DrPY48f9JLaKrpZb1d5Y%3DW06A%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/bb54aaba-8ef1-4999-a8a9-32884ed02a99n%40apereo.org.
