[midPoint] An SSO Contribution to midPoint using Jasig CAS

[Jason Everling]

I have successfully got this working so I wanted to post it so that if you
wanted to include it on your wiki, maybe clean it up so that the steps look
nicer!

CAS Usernames must match midPoint user "name"

In this example I am using Apache with Tomcat 7, auth-cas and mod-jk

Assumed Configuration:

Apache installed and configured with SSL
Tomcat installed and configured working already with midPoint

*Apache Configuration*

sudo apt-get install libapache2-mod-jk libapache2-mod-auth-cas


1. Configure mod-jk

Create a workers.properties file in /etc/apache2

sudo vi /etc/apache2/workers.properties

Add the following

worker.list=worker1
worker.worker1.port=8009
worker.worker1.host=localhost
worker.worker1.type=ajp13

2. Configure apache2 sites

sudo vi /etc/apache2/sites-available/default-ssl.conf

Add the following below the first default DocumentRoot /var/www/html

<Location ~ "/midpoint*">
  AuthType CAS
  AuthName "CAS"
  require valid-user
  CasAuthNHeader Cas-User
</Location>

JkMount /midpoint* worker1

3. Configure auth-cas

sudo vi /etc/apache2/mods-available/auth_cas.conf

Add the following

CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://SERVERURL/cas/login
CASValidateURL https://SERVERURL/cas/serviceValidate
CASDebug Off
CASValidateServer On
CASVersion 2
CASSSOEnabled On
#Below is needed, auth-cas will use the server hostname in the service URL
redirect so we will override that, do not add a trailing / or add /midpoint!
CASRootProxiedAs https://MIDPOINTSERVERURL

Restart Apache2

sudo service apache2 restart

*Tomcat Configuration*

1. Confgure tomcat to use the AJP connector

sudo vi /var/lib/tomcat7/conf/server.xml

Uncomment the following so that it reads

    <!-- Define an AJP 1.3 Connector on port 8009 -->

    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
*Midpoint Configuration*

1. Edit ctx-web-security.xml

sudo vi /var/lib/tomcat7/webapps/ctx-web-security.xml

Uncomment the following so that reads

<!-- For SSO integration use the following: -->
        <custom-filter position="PRE_AUTH_FILTER"
ref="requestHeaderAuthenticationFilter" />

Edit the following value "principalRequestHeader" in the bean
"requestHeaderAuthenticationFilter" so that it reads

    <!-- Following bean is used with pre-authentication based on HTTP
headers (e.g. for SSO integration) -->
    <beans:bean id="requestHeaderAuthenticationFilter"
class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
    <beans:property name="principalRequestHeader" value="Cas-User"/>
    <beans:property name="authenticationManager"
ref="authenticationManager" />
</beans:bean>
Finally restart tomcat7

sudo service tomcat7 restart

User can now login to midPoint using CAS

Thanks,
JASON

-- 


CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential; 
intended for only the recipient(s) named above and may contain information 
that is privileged. You should not retain, copy or use this e-mail or any 
attachments for any purpose, or disclose all or any part of the contents to 
any person. Any views or opinions expressed in this e-mail are those of the 
author and do not represent those of the Baptist School of Health 
Professions. If you have received this e-mail in error, or are not the 
named recipient(s), you are hereby notified that any review, dissemination, 
distribution or copying of this communication is prohibited by the sender 
and to do so might constitute a violation of the Electronic Communications 
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the 
sender and delete this e-mail and any attachments from your computer. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150203/6df12476/attachment.htm>