[midPoint] An SSO Contribution to midPoint using Jasig CAS
Katarina Valalikova
k.valalikova at evolveum.com
Thu Feb 5 09:44:46 CET 2015
Hi Jason,
few days ago I finished integration of CAS server with midPoint using
CAS client libraries (spring). I've tested it and it works for me. I
need only to push it to the midPoint's git repository and write some
notes on wiki.
Regards,
Katarina Valalikova
Dňa 4. 2. 2015 o 19:20 Jason Everling napísal(a):
> I was thinking about directly integrating the Java CAS Client into
> midPoint by forking the code then making the changes and adding the
> CAS client libraries. This way the CAS Login URL and options to use
> CAS can be set in the GUI and this can all be skipped.
>
> Is this Ok?
>
> JASON
>
> On Wed, Feb 4, 2015 at 11:30 AM, Ivan Noris <ivan.noris at evolveum.com
> <mailto:ivan.noris at evolveum.com>> wrote:
>
> Fixed, thanks.
>
> I.
>
>
> On 02/04/2015 05:40 PM, Jason Everling wrote:
>> That looks good!
>>
>> I had made a typo on the following,
>>
>> sudo vi /var/lib/tomcat7/webapps/ctx-web-security.xml
>>
>> Should be
>>
>> sudo vi /var/lib/tomcat7/webapps/midpoint/ctx-web-security.xml
>>
>> JASON
>>
>> On Wed, Feb 4, 2015 at 8:34 AM, Radovan Semancik
>> <radovan.semancik at evolveum.com
>> <mailto:radovan.semancik at evolveum.com>> wrote:
>>
>> Hi,
>>
>> I have placed it in our wiki:
>> https://wiki.evolveum.com/pages/viewpage.action?pageId=17760847
>>
>> Thanks again!
>>
>> --
>>
>> Radovan Semancik
>> Software Architect
>> evolveum.com <http://evolveum.com>
>>
>>
>>
>> On 02/04/2015 03:06 PM, Jason Everling wrote:
>>> That is correct!
>>>
>>> JASON
>>>
>>> On Wed, Feb 4, 2015 at 8:03 AM, Radovan Semancik
>>> <radovan.semancik at evolveum.com
>>> <mailto:radovan.semancik at evolveum.com>> wrote:
>>>
>>> Hi Jason,
>>>
>>> Thanks a lot for the contribution. This would really be
>>> a nice addition to our wiki. Just to be completely sure:
>>> you were setting up midPoint as a client (relying party)
>>> in a CAS-based SSO system by using a CAS agent in
>>> apache, right?
>>>
>>> --
>>>
>>> Radovan Semancik
>>> Software Architect
>>> evolveum.com <http://evolveum.com>
>>>
>>>
>>>
>>> On 02/03/2015 06:11 PM, Jason Everling wrote:
>>>> I have successfully got this working so I wanted to
>>>> post it so that if you wanted to include it on your
>>>> wiki, maybe clean it up so that the steps look nicer!
>>>>
>>>> CAS Usernames must match midPoint user "name"
>>>>
>>>> In this example I am using Apache with Tomcat 7,
>>>> auth-cas and mod-jk
>>>>
>>>> Assumed Configuration:
>>>>
>>>> Apache installed and configured with SSL
>>>> Tomcat installed and configured working already with
>>>> midPoint
>>>>
>>>> *Apache Configuration*
>>>>
>>>> sudo apt-get install libapache2-mod-jk
>>>> libapache2-mod-auth-cas
>>>>
>>>>
>>>> 1. Configure mod-jk
>>>>
>>>> Create a workers.properties file in /etc/apache2
>>>>
>>>> sudo vi /etc/apache2/workers.properties
>>>>
>>>> Add the following
>>>>
>>>> worker.list=worker1
>>>> worker.worker1.port=8009
>>>> worker.worker1.host=localhost
>>>> worker.worker1.type=ajp13
>>>>
>>>> 2. Configure apache2 sites
>>>>
>>>> sudo vi /etc/apache2/sites-available/default-ssl.conf
>>>>
>>>> Add the following below the first default DocumentRoot
>>>> /var/www/html
>>>>
>>>> <Location ~ "/midpoint*">
>>>> AuthType CAS
>>>> AuthName "CAS"
>>>> require valid-user
>>>> CasAuthNHeader Cas-User
>>>> </Location>
>>>>
>>>> JkMount /midpoint* worker1
>>>>
>>>> 3. Configure auth-cas
>>>>
>>>> sudo vi /etc/apache2/mods-available/auth_cas.conf
>>>>
>>>> Add the following
>>>>
>>>> CASCookiePath /var/cache/apache2/mod_auth_cas/
>>>> CASLoginURL https://SERVERURL/cas/login
>>>> CASValidateURL https://SERVERURL/cas/serviceValidate
>>>> CASDebug Off
>>>> CASValidateServer On
>>>> CASVersion 2
>>>> CASSSOEnabled On
>>>> #Below is needed, auth-cas will use the server hostname
>>>> in the service URL redirect so we will override that,
>>>> do not add a trailing / or add /midpoint!
>>>> CASRootProxiedAs https://MIDPOINTSERVERURL
>>>>
>>>> Restart Apache2
>>>>
>>>> sudo service apache2 restart
>>>>
>>>> *Tomcat Configuration*
>>>>
>>>> 1. Confgure tomcat to use the AJP connector
>>>>
>>>> sudo vi /var/lib/tomcat7/conf/server.xml
>>>>
>>>> Uncomment the following so that it reads
>>>>
>>>> <!-- Define an AJP 1.3 Connector on port 8009 -->
>>>>
>>>> <Connector port="8009" protocol="AJP/1.3"
>>>> redirectPort="8443" />
>>>> *Midpoint Configuration*
>>>>
>>>> 1. Edit ctx-web-security.xml
>>>>
>>>> sudo vi /var/lib/tomcat7/webapps/ctx-web-security.xml
>>>>
>>>> Uncomment the following so that reads
>>>>
>>>> <!-- For SSO integration use the following: -->
>>>> <custom-filter position="PRE_AUTH_FILTER"
>>>> ref="requestHeaderAuthenticationFilter" />
>>>>
>>>> Edit the following value "principalRequestHeader" in
>>>> the bean "requestHeaderAuthenticationFilter" so that it
>>>> reads
>>>>
>>>> <!-- Following bean is used with pre-authentication
>>>> based on HTTP headers (e.g. for SSO integration) -->
>>>> <beans:bean id="requestHeaderAuthenticationFilter"
>>>> class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
>>>> <beans:property name="principalRequestHeader"
>>>> value="Cas-User"/>
>>>> <beans:property name="authenticationManager"
>>>> ref="authenticationManager" />
>>>> </beans:bean>
>>>> Finally restart tomcat7
>>>>
>>>> sudo service tomcat7 restart
>>>>
>>>> User can now login to midPoint using CAS
>>>>
>>>> Thanks,
>>>> JASON
>>>>
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE:
>>>> This e-mail together with any attachments is
>>>> proprietary and confidential; intended for only the
>>>> recipient(s) named above and may contain information
>>>> that is privileged. You should not retain, copy or use
>>>> this e-mail or any attachments for any purpose, or
>>>> disclose all or any part of the contents to any person.
>>>> Any views or opinions expressed in this e-mail are
>>>> those of the author and do not represent those of the
>>>> Baptist School of Health Professions. If you have
>>>> received this e-mail in error, or are not the named
>>>> recipient(s), you are hereby notified that any review,
>>>> dissemination, distribution or copying of this
>>>> communication is prohibited by the sender and to do so
>>>> might constitute a violation of the Electronic
>>>> Communications Privacy Act, 18 U.S.C. section
>>>> 2510-2521. Please immediately notify the sender and
>>>> delete this e-mail and any attachments from your computer.
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above
>>> and may contain information that is privileged. You should
>>> not retain, copy or use this e-mail or any attachments for
>>> any purpose, or disclose all or any part of the contents to
>>> any person. Any views or opinions expressed in this e-mail
>>> are those of the author and do not represent those of the
>>> Baptist School of Health Professions. If you have received
>>> this e-mail in error, or are not the named recipient(s), you
>>> are hereby notified that any review, dissemination,
>>> distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of
>>> the Electronic Communications Privacy Act, 18 U.S.C. section
>>> 2510-2521. Please immediately notify the sender and delete
>>> this e-mail and any attachments from your computer.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and
>> may contain information that is privileged. You should not
>> retain, copy or use this e-mail or any attachments for any
>> purpose, or disclose all or any part of the contents to any
>> person. Any views or opinions expressed in this e-mail are those
>> of the author and do not represent those of the Baptist School of
>> Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any
>> review, dissemination, distribution or copying of this
>> communication is prohibited by the sender and to do so might
>> constitute a violation of the Electronic Communications Privacy
>> Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>> sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
> --
> Ing. Ivan Noris
> Senior Identity Management Engineer
> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
> _____________________________________________
> "Semper Id(e)M Vix."
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150205/6bc0389a/attachment.htm>
More information about the midPoint
mailing list