[midPoint] An SSO Contribution to midPoint using Jasig CAS

Radovan Semancik radovan.semancik at evolveum.com
Wed Feb 4 15:03:37 CET 2015 

Hi Jason,

Thanks a lot for the contribution. This would really be a nice addition 
to our wiki. Just to be completely sure: you were setting up midPoint as 
a client (relying party) in a CAS-based SSO system by using a CAS agent 
in apache, right?

-- 

                                            Radovan Semancik
                                           Software Architect
                                              evolveum.com



On 02/03/2015 06:11 PM, Jason Everling wrote:
> I have successfully got this working so I wanted to post it so that if 
> you wanted to include it on your wiki, maybe clean it up so that the 
> steps look nicer!
>
> CAS Usernames must match midPoint user "name"
>
> In this example I am using Apache with Tomcat 7, auth-cas and mod-jk
>
> Assumed Configuration:
>
> Apache installed and configured with SSL
> Tomcat installed and configured working already with midPoint
>
> *Apache Configuration*
>
> sudo apt-get install libapache2-mod-jk libapache2-mod-auth-cas
>
>
> 1. Configure mod-jk
>
> Create a workers.properties file in /etc/apache2
>
> sudo vi /etc/apache2/workers.properties
>
> Add the following
>
> worker.list=worker1
> worker.worker1.port=8009
> worker.worker1.host=localhost
> worker.worker1.type=ajp13
>
> 2. Configure apache2 sites
>
> sudo vi /etc/apache2/sites-available/default-ssl.conf
>
> Add the following below the first default DocumentRoot /var/www/html
>
> <Location ~ "/midpoint*">
> AuthType CAS
> AuthName "CAS"
> require valid-user
> CasAuthNHeader Cas-User
> </Location>
>
> JkMount /midpoint* worker1
>
> 3. Configure auth-cas
>
> sudo vi /etc/apache2/mods-available/auth_cas.conf
>
> Add the following
>
> CASCookiePath /var/cache/apache2/mod_auth_cas/
> CASLoginURL https://SERVERURL/cas/login
> CASValidateURL https://SERVERURL/cas/serviceValidate
> CASDebug Off
> CASValidateServer On
> CASVersion 2
> CASSSOEnabled On
> #Below is needed, auth-cas will use the server hostname in the service 
> URL redirect so we will override that, do not add a trailing / or add 
> /midpoint!
> CASRootProxiedAs https://MIDPOINTSERVERURL
>
> Restart Apache2
>
> sudo service apache2 restart
>
> *Tomcat Configuration*
>
> 1. Confgure tomcat to use the AJP connector
>
> sudo vi /var/lib/tomcat7/conf/server.xml
>
> Uncomment the following so that it reads
>
>     <!-- Define an AJP 1.3 Connector on port 8009 -->
>
>     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
> *Midpoint Configuration*
>
> 1. Edit ctx-web-security.xml
>
> sudo vi /var/lib/tomcat7/webapps/ctx-web-security.xml
>
> Uncomment the following so that reads
>
> <!-- For SSO integration use the following: -->
>         <custom-filter position="PRE_AUTH_FILTER" 
> ref="requestHeaderAuthenticationFilter" />
>
> Edit the following value "principalRequestHeader" in the bean 
> "requestHeaderAuthenticationFilter" so that it reads
>
>     <!-- Following bean is used with pre-authentication based on HTTP 
> headers (e.g. for SSO integration) -->
>     <beans:bean id="requestHeaderAuthenticationFilter" 
> class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
>  <beans:property name="principalRequestHeader" value="Cas-User"/>
>  <beans:property name="authenticationManager" 
> ref="authenticationManager" />
> </beans:bean>
> Finally restart tomcat7
>
> sudo service tomcat7 restart
>
> User can now login to midPoint using CAS
>
> Thanks,
> JASON
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and 
> confidential; intended for only the recipient(s) named above and may 
> contain information that is privileged. You should not retain, copy or 
> use this e-mail or any attachments for any purpose, or disclose all or 
> any part of the contents to any person. Any views or opinions 
> expressed in this e-mail are those of the author and do not represent 
> those of the Baptist School of Health Professions. If you have 
> received this e-mail in error, or are not the named recipient(s), you 
> are hereby notified that any review, dissemination, distribution or 
> copying of this communication is prohibited by the sender and to do so 
> might constitute a violation of the Electronic Communications Privacy 
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender 
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150204/04a6def7/attachment.htm>

More information about the midPoint mailing list