[midPoint] An SSO Contribution to midPoint using Jasig CAS

Radovan Semancik radovan.semancik at evolveum.com
Wed Feb 4 15:34:24 CET 2015 

Hi,

I have placed it in our wiki:
https://wiki.evolveum.com/pages/viewpage.action?pageId=17760847

Thanks again!

-- 

                                            Radovan Semancik
                                           Software Architect
                                              evolveum.com



On 02/04/2015 03:06 PM, Jason Everling wrote:
> That is correct!
>
> JASON
>
> On Wed, Feb 4, 2015 at 8:03 AM, Radovan Semancik 
> <radovan.semancik at evolveum.com <mailto:radovan.semancik at evolveum.com>> 
> wrote:
>
>     Hi Jason,
>
>     Thanks a lot for the contribution. This would really be a nice
>     addition to our wiki. Just to be completely sure: you were setting
>     up midPoint as a client (relying party) in a CAS-based SSO system
>     by using a CAS agent in apache, right?
>
>     -- 
>
>                                                 Radovan Semancik
>                                                Software Architect
>                                                   evolveum.com  <http://evolveum.com>
>
>
>
>     On 02/03/2015 06:11 PM, Jason Everling wrote:
>>     I have successfully got this working so I wanted to post it so
>>     that if you wanted to include it on your wiki, maybe clean it up
>>     so that the steps look nicer!
>>
>>     CAS Usernames must match midPoint user "name"
>>
>>     In this example I am using Apache with Tomcat 7, auth-cas and mod-jk
>>
>>     Assumed Configuration:
>>
>>     Apache installed and configured with SSL
>>     Tomcat installed and configured working already with midPoint
>>
>>     *Apache Configuration*
>>
>>     sudo apt-get install libapache2-mod-jk libapache2-mod-auth-cas
>>
>>
>>     1. Configure mod-jk
>>
>>     Create a workers.properties file in /etc/apache2
>>
>>     sudo vi /etc/apache2/workers.properties
>>
>>     Add the following
>>
>>     worker.list=worker1
>>     worker.worker1.port=8009
>>     worker.worker1.host=localhost
>>     worker.worker1.type=ajp13
>>
>>     2. Configure apache2 sites
>>
>>     sudo vi /etc/apache2/sites-available/default-ssl.conf
>>
>>     Add the following below the first default DocumentRoot /var/www/html
>>
>>     <Location ~ "/midpoint*">
>>     AuthType CAS
>>     AuthName "CAS"
>>     require valid-user
>>     CasAuthNHeader Cas-User
>>     </Location>
>>
>>     JkMount /midpoint* worker1
>>
>>     3. Configure auth-cas
>>
>>     sudo vi /etc/apache2/mods-available/auth_cas.conf
>>
>>     Add the following
>>
>>     CASCookiePath /var/cache/apache2/mod_auth_cas/
>>     CASLoginURL https://SERVERURL/cas/login
>>     CASValidateURL https://SERVERURL/cas/serviceValidate
>>     CASDebug Off
>>     CASValidateServer On
>>     CASVersion 2
>>     CASSSOEnabled On
>>     #Below is needed, auth-cas will use the server hostname in the
>>     service URL redirect so we will override that, do not add a
>>     trailing / or add /midpoint!
>>     CASRootProxiedAs https://MIDPOINTSERVERURL
>>
>>     Restart Apache2
>>
>>     sudo service apache2 restart
>>
>>     *Tomcat Configuration*
>>
>>     1. Confgure tomcat to use the AJP connector
>>
>>     sudo vi /var/lib/tomcat7/conf/server.xml
>>
>>     Uncomment the following so that it reads
>>
>>         <!-- Define an AJP 1.3 Connector on port 8009 -->
>>
>>         <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
>>     *Midpoint Configuration*
>>
>>     1. Edit ctx-web-security.xml
>>
>>     sudo vi /var/lib/tomcat7/webapps/ctx-web-security.xml
>>
>>     Uncomment the following so that reads
>>
>>     <!-- For SSO integration use the following: -->
>>             <custom-filter position="PRE_AUTH_FILTER"
>>     ref="requestHeaderAuthenticationFilter" />
>>
>>     Edit the following value "principalRequestHeader" in the bean
>>     "requestHeaderAuthenticationFilter" so that it reads
>>
>>         <!-- Following bean is used with pre-authentication based on
>>     HTTP headers (e.g. for SSO integration) -->
>>         <beans:bean id="requestHeaderAuthenticationFilter"
>>     class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
>>        <beans:property name="principalRequestHeader" value="Cas-User"/>
>>        <beans:property name="authenticationManager"
>>     ref="authenticationManager" />
>>     </beans:bean>
>>     Finally restart tomcat7
>>
>>     sudo service tomcat7 restart
>>
>>     User can now login to midPoint using CAS
>>
>>     Thanks,
>>     JASON
>>
>>
>>
>>     CONFIDENTIALITY NOTICE:
>>     This e-mail together with any attachments is proprietary and
>>     confidential; intended for only the recipient(s) named above and
>>     may contain information that is privileged. You should not
>>     retain, copy or use this e-mail or any attachments for any
>>     purpose, or disclose all or any part of the contents to any
>>     person. Any views or opinions expressed in this e-mail are those
>>     of the author and do not represent those of the Baptist School of
>>     Health Professions. If you have received this e-mail in error, or
>>     are not the named recipient(s), you are hereby notified that any
>>     review, dissemination, distribution or copying of this
>>     communication is prohibited by the sender and to do so might
>>     constitute a violation of the Electronic Communications Privacy
>>     Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>>     sender and delete this e-mail and any attachments from your
>>     computer.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com  <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and 
> confidential; intended for only the recipient(s) named above and may 
> contain information that is privileged. You should not retain, copy or 
> use this e-mail or any attachments for any purpose, or disclose all or 
> any part of the contents to any person. Any views or opinions 
> expressed in this e-mail are those of the author and do not represent 
> those of the Baptist School of Health Professions. If you have 
> received this e-mail in error, or are not the named recipient(s), you 
> are hereby notified that any review, dissemination, distribution or 
> copying of this communication is prohibited by the sender and to do so 
> might constitute a violation of the Electronic Communications Privacy 
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender 
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150204/2e460802/attachment.htm>

More information about the midPoint mailing list