[midPoint] An SSO Contribution to midPoint using Jasig CAS

Ivan Noris ivan.noris at evolveum.com
Wed Feb 4 18:30:47 CET 2015 

Fixed, thanks.

I.

On 02/04/2015 05:40 PM, Jason Everling wrote:
> That looks good!
>
> I had made a typo on the following,
>
> sudo vi /var/lib/tomcat7/webapps/ctx-web-security.xml
>
> Should be
>
> sudo vi /var/lib/tomcat7/webapps/midpoint/ctx-web-security.xml
>
> JASON
>
> On Wed, Feb 4, 2015 at 8:34 AM, Radovan Semancik
> <radovan.semancik at evolveum.com <mailto:radovan.semancik at evolveum.com>>
> wrote:
>
>     Hi,
>
>     I have placed it in our wiki:
>     https://wiki.evolveum.com/pages/viewpage.action?pageId=17760847
>
>     Thanks again!
>
>     -- 
>
>                                                Radovan Semancik
>                                               Software Architect
>                                                  evolveum.com <http://evolveum.com>
>
>
>
>     On 02/04/2015 03:06 PM, Jason Everling wrote:
>>     That is correct!
>>
>>     JASON
>>
>>     On Wed, Feb 4, 2015 at 8:03 AM, Radovan Semancik
>>     <radovan.semancik at evolveum.com
>>     <mailto:radovan.semancik at evolveum.com>> wrote:
>>
>>         Hi Jason,
>>
>>         Thanks a lot for the contribution. This would really be a
>>         nice addition to our wiki. Just to be completely sure: you
>>         were setting up midPoint as a client (relying party) in a
>>         CAS-based SSO system by using a CAS agent in apache, right?
>>
>>         -- 
>>
>>                                                    Radovan Semancik
>>                                                   Software Architect
>>                                                      evolveum.com <http://evolveum.com>
>>
>>
>>
>>         On 02/03/2015 06:11 PM, Jason Everling wrote:
>>>         I have successfully got this working so I wanted to post it
>>>         so that if you wanted to include it on your wiki, maybe
>>>         clean it up so that the steps look nicer!
>>>
>>>         CAS Usernames must match midPoint user "name"
>>>
>>>         In this example I am using Apache with Tomcat 7, auth-cas
>>>         and mod-jk
>>>
>>>         Assumed Configuration:
>>>
>>>         Apache installed and configured with SSL
>>>         Tomcat installed and configured working already with midPoint
>>>
>>>         *Apache Configuration*
>>>
>>>         sudo apt-get install libapache2-mod-jk libapache2-mod-auth-cas
>>>
>>>
>>>         1. Configure mod-jk
>>>
>>>         Create a workers.properties file in /etc/apache2
>>>
>>>         sudo vi /etc/apache2/workers.properties
>>>
>>>         Add the following
>>>
>>>         worker.list=worker1
>>>         worker.worker1.port=8009
>>>         worker.worker1.host=localhost
>>>         worker.worker1.type=ajp13
>>>
>>>         2. Configure apache2 sites
>>>
>>>         sudo vi /etc/apache2/sites-available/default-ssl.conf
>>>
>>>         Add the following below the first default DocumentRoot
>>>         /var/www/html
>>>
>>>         <Location ~ "/midpoint*">
>>>          AuthType CAS
>>>          AuthName "CAS"
>>>          require valid-user
>>>          CasAuthNHeader Cas-User
>>>         </Location>
>>>
>>>         JkMount /midpoint* worker1
>>>
>>>         3. Configure auth-cas
>>>
>>>         sudo vi /etc/apache2/mods-available/auth_cas.conf
>>>
>>>         Add the following
>>>
>>>         CASCookiePath /var/cache/apache2/mod_auth_cas/
>>>         CASLoginURL https://SERVERURL/cas/login
>>>         CASValidateURL https://SERVERURL/cas/serviceValidate
>>>         CASDebug Off
>>>         CASValidateServer On
>>>         CASVersion 2
>>>         CASSSOEnabled On
>>>         #Below is needed, auth-cas will use the server hostname in
>>>         the service URL redirect so we will override that, do not
>>>         add a trailing / or add /midpoint!
>>>         CASRootProxiedAs https://MIDPOINTSERVERURL
>>>
>>>         Restart Apache2
>>>
>>>         sudo service apache2 restart
>>>
>>>         *Tomcat Configuration*
>>>
>>>         1. Confgure tomcat to use the AJP connector
>>>
>>>         sudo vi /var/lib/tomcat7/conf/server.xml
>>>
>>>         Uncomment the following so that it reads
>>>
>>>             <!-- Define an AJP 1.3 Connector on port 8009 -->
>>>
>>>             <Connector port="8009" protocol="AJP/1.3"
>>>         redirectPort="8443" />
>>>         *Midpoint Configuration*
>>>
>>>         1. Edit ctx-web-security.xml
>>>
>>>         sudo vi /var/lib/tomcat7/webapps/ctx-web-security.xml
>>>
>>>         Uncomment the following so that reads
>>>
>>>         <!-- For SSO integration use the following: -->
>>>                 <custom-filter position="PRE_AUTH_FILTER"
>>>         ref="requestHeaderAuthenticationFilter" />
>>>
>>>         Edit the following value "principalRequestHeader" in the
>>>         bean "requestHeaderAuthenticationFilter" so that it reads
>>>
>>>             <!-- Following bean is used with pre-authentication
>>>         based on HTTP headers (e.g. for SSO integration) -->
>>>             <beans:bean id="requestHeaderAuthenticationFilter"
>>>         class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
>>>            <beans:property name="principalRequestHeader"
>>>         value="Cas-User"/>
>>>            <beans:property name="authenticationManager"
>>>         ref="authenticationManager" />
>>>         </beans:bean>
>>>         Finally restart tomcat7
>>>
>>>         sudo service tomcat7 restart
>>>
>>>         User can now login to midPoint using CAS
>>>
>>>         Thanks,
>>>         JASON
>>>
>>>
>>>
>>>         CONFIDENTIALITY NOTICE:
>>>         This e-mail together with any attachments is proprietary and
>>>         confidential; intended for only the recipient(s) named above
>>>         and may contain information that is privileged. You should
>>>         not retain, copy or use this e-mail or any attachments for
>>>         any purpose, or disclose all or any part of the contents to
>>>         any person. Any views or opinions expressed in this e-mail
>>>         are those of the author and do not represent those of the
>>>         Baptist School of Health Professions. If you have received
>>>         this e-mail in error, or are not the named recipient(s), you
>>>         are hereby notified that any review, dissemination,
>>>         distribution or copying of this communication is prohibited
>>>         by the sender and to do so might constitute a violation of
>>>         the Electronic Communications Privacy Act, 18 U.S.C. section
>>>         2510-2521. Please immediately notify the sender and delete
>>>         this e-mail and any attachments from your computer.
>>>
>>>
>>>         _______________________________________________
>>>         midPoint mailing list
>>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>         _______________________________________________
>>         midPoint mailing list
>>         midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>         http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>>     CONFIDENTIALITY NOTICE:
>>     This e-mail together with any attachments is proprietary and
>>     confidential; intended for only the recipient(s) named above and
>>     may contain information that is privileged. You should not
>>     retain, copy or use this e-mail or any attachments for any
>>     purpose, or disclose all or any part of the contents to any
>>     person. Any views or opinions expressed in this e-mail are those
>>     of the author and do not represent those of the Baptist School of
>>     Health Professions. If you have received this e-mail in error, or
>>     are not the named recipient(s), you are hereby notified that any
>>     review, dissemination, distribution or copying of this
>>     communication is prohibited by the sender and to do so might
>>     constitute a violation of the Electronic Communications Privacy
>>     Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>>     sender and delete this e-mail and any attachments from your
>>     computer.
>>
>>
>>     _______________________________________________
>>     midPoint mailing list
>>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>     _______________________________________________
>     midPoint mailing list
>     midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>     http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  evolveum.com     evolveum.com/blog/
  _____________________________________________
  "Semper Id(e)M Vix."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150204/95dce361/attachment.htm>

More information about the midPoint mailing list