[midPoint] An SSO Contribution to midPoint using Jasig CAS
Katarina Valalikova
k.valalikova at evolveum.com
Thu Feb 5 18:00:47 CET 2015
Hi Jason,
The CAS Client integration is now available in the midPoint's git
repository and I wrote brief how to on the wiki page
https://wiki.evolveum.com/pages/viewpage.action?pageId=17760854
If I've missed something just let me know, I'll fix it.
Regards,
Katarina Valalikova
Dňa 5. 2. 2015 o 15:17 Jason Everling napísal(a):
> That is great! That is exactly what I was looking at doing and cannot
> believe I was thinking the same thing that you already accomplished!
>
> Cheers!
> JASON
>
> On Thu, Feb 5, 2015 at 2:44 AM, Katarina Valalikova
> <k.valalikova at evolveum.com <mailto:k.valalikova at evolveum.com>> wrote:
>
> Hi Jason,
>
> few days ago I finished integration of CAS server with midPoint
> using CAS client libraries (spring). I've tested it and it works
> for me. I need only to push it to the midPoint's git repository
> and write some notes on wiki.
>
> Regards,
> Katarina Valalikova
>
> Dňa 4. 2. 2015 o 19:20 Jason Everling napísal(a):
>> I was thinking about directly integrating the Java CAS Client
>> into midPoint by forking the code then making the changes and
>> adding the CAS client libraries. This way the CAS Login URL and
>> options to use CAS can be set in the GUI and this can all be
>> skipped.
>>
>> Is this Ok?
>>
>> JASON
>>
>> On Wed, Feb 4, 2015 at 11:30 AM, Ivan Noris
>> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>> wrote:
>>
>> Fixed, thanks.
>>
>> I.
>>
>>
>> On 02/04/2015 05:40 PM, Jason Everling wrote:
>>> That looks good!
>>>
>>> I had made a typo on the following,
>>>
>>> sudo vi /var/lib/tomcat7/webapps/ctx-web-security.xml
>>>
>>> Should be
>>>
>>> sudo vi /var/lib/tomcat7/webapps/midpoint/ctx-web-security.xml
>>>
>>> JASON
>>>
>>> On Wed, Feb 4, 2015 at 8:34 AM, Radovan Semancik
>>> <radovan.semancik at evolveum.com
>>> <mailto:radovan.semancik at evolveum.com>> wrote:
>>>
>>> Hi,
>>>
>>> I have placed it in our wiki:
>>> https://wiki.evolveum.com/pages/viewpage.action?pageId=17760847
>>>
>>> Thanks again!
>>>
>>> --
>>>
>>> Radovan Semancik
>>> Software Architect
>>> evolveum.com <http://evolveum.com>
>>>
>>>
>>>
>>> On 02/04/2015 03:06 PM, Jason Everling wrote:
>>>> That is correct!
>>>>
>>>> JASON
>>>>
>>>> On Wed, Feb 4, 2015 at 8:03 AM, Radovan Semancik
>>>> <radovan.semancik at evolveum.com
>>>> <mailto:radovan.semancik at evolveum.com>> wrote:
>>>>
>>>> Hi Jason,
>>>>
>>>> Thanks a lot for the contribution. This would
>>>> really be a nice addition to our wiki. Just to be
>>>> completely sure: you were setting up midPoint as a
>>>> client (relying party) in a CAS-based SSO system by
>>>> using a CAS agent in apache, right?
>>>>
>>>> --
>>>>
>>>> Radovan Semancik
>>>> Software Architect
>>>> evolveum.com <http://evolveum.com>
>>>>
>>>>
>>>>
>>>> On 02/03/2015 06:11 PM, Jason Everling wrote:
>>>>> I have successfully got this working so I wanted
>>>>> to post it so that if you wanted to include it on
>>>>> your wiki, maybe clean it up so that the steps
>>>>> look nicer!
>>>>>
>>>>> CAS Usernames must match midPoint user "name"
>>>>>
>>>>> In this example I am using Apache with Tomcat 7,
>>>>> auth-cas and mod-jk
>>>>>
>>>>> Assumed Configuration:
>>>>>
>>>>> Apache installed and configured with SSL
>>>>> Tomcat installed and configured working already
>>>>> with midPoint
>>>>>
>>>>> *Apache Configuration*
>>>>>
>>>>> sudo apt-get install libapache2-mod-jk
>>>>> libapache2-mod-auth-cas
>>>>>
>>>>>
>>>>> 1. Configure mod-jk
>>>>>
>>>>> Create a workers.properties file in /etc/apache2
>>>>>
>>>>> sudo vi /etc/apache2/workers.properties
>>>>>
>>>>> Add the following
>>>>>
>>>>> worker.list=worker1
>>>>> worker.worker1.port=8009
>>>>> worker.worker1.host=localhost
>>>>> worker.worker1.type=ajp13
>>>>>
>>>>> 2. Configure apache2 sites
>>>>>
>>>>> sudo vi /etc/apache2/sites-available/default-ssl.conf
>>>>>
>>>>> Add the following below the first default
>>>>> DocumentRoot /var/www/html
>>>>>
>>>>> <Location ~ "/midpoint*">
>>>>> AuthType CAS
>>>>> AuthName "CAS"
>>>>> require valid-user
>>>>> CasAuthNHeader Cas-User
>>>>> </Location>
>>>>>
>>>>> JkMount /midpoint* worker1
>>>>>
>>>>> 3. Configure auth-cas
>>>>>
>>>>> sudo vi /etc/apache2/mods-available/auth_cas.conf
>>>>>
>>>>> Add the following
>>>>>
>>>>> CASCookiePath /var/cache/apache2/mod_auth_cas/
>>>>> CASLoginURL https://SERVERURL/cas/login
>>>>> CASValidateURL https://SERVERURL/cas/serviceValidate
>>>>> CASDebug Off
>>>>> CASValidateServer On
>>>>> CASVersion 2
>>>>> CASSSOEnabled On
>>>>> #Below is needed, auth-cas will use the server
>>>>> hostname in the service URL redirect so we will
>>>>> override that, do not add a trailing / or add
>>>>> /midpoint!
>>>>> CASRootProxiedAs https://MIDPOINTSERVERURL
>>>>>
>>>>> Restart Apache2
>>>>>
>>>>> sudo service apache2 restart
>>>>>
>>>>> *Tomcat Configuration*
>>>>>
>>>>> 1. Confgure tomcat to use the AJP connector
>>>>>
>>>>> sudo vi /var/lib/tomcat7/conf/server.xml
>>>>>
>>>>> Uncomment the following so that it reads
>>>>>
>>>>> <!-- Define an AJP 1.3 Connector on port 8009 -->
>>>>>
>>>>> <Connector port="8009" protocol="AJP/1.3"
>>>>> redirectPort="8443" />
>>>>> *Midpoint Configuration*
>>>>>
>>>>> 1. Edit ctx-web-security.xml
>>>>>
>>>>> sudo vi /var/lib/tomcat7/webapps/ctx-web-security.xml
>>>>>
>>>>> Uncomment the following so that reads
>>>>>
>>>>> <!-- For SSO integration use the following: -->
>>>>> <custom-filter position="PRE_AUTH_FILTER"
>>>>> ref="requestHeaderAuthenticationFilter" />
>>>>>
>>>>> Edit the following value "principalRequestHeader"
>>>>> in the bean "requestHeaderAuthenticationFilter" so
>>>>> that it reads
>>>>>
>>>>> <!-- Following bean is used with
>>>>> pre-authentication based on HTTP headers (e.g. for
>>>>> SSO integration) -->
>>>>> <beans:bean id="requestHeaderAuthenticationFilter"
>>>>> class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
>>>>> <beans:property name="principalRequestHeader"
>>>>> value="Cas-User"/>
>>>>> <beans:property name="authenticationManager"
>>>>> ref="authenticationManager" />
>>>>> </beans:bean>
>>>>> Finally restart tomcat7
>>>>>
>>>>> sudo service tomcat7 restart
>>>>>
>>>>> User can now login to midPoint using CAS
>>>>>
>>>>> Thanks,
>>>>> JASON
>>>>>
>>>>>
>>>>>
>>>>> CONFIDENTIALITY NOTICE:
>>>>> This e-mail together with any attachments is
>>>>> proprietary and confidential; intended for only
>>>>> the recipient(s) named above and may contain
>>>>> information that is privileged. You should not
>>>>> retain, copy or use this e-mail or any attachments
>>>>> for any purpose, or disclose all or any part of
>>>>> the contents to any person. Any views or opinions
>>>>> expressed in this e-mail are those of the author
>>>>> and do not represent those of the Baptist School
>>>>> of Health Professions. If you have received this
>>>>> e-mail in error, or are not the named
>>>>> recipient(s), you are hereby notified that any
>>>>> review, dissemination, distribution or copying of
>>>>> this communication is prohibited by the sender and
>>>>> to do so might constitute a violation of the
>>>>> Electronic Communications Privacy Act, 18 U.S.C.
>>>>> section 2510-2521. Please immediately notify the
>>>>> sender and delete this e-mail and any attachments
>>>>> from your computer.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> <mailto:midPoint at lists.evolveum.com>
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE:
>>>> This e-mail together with any attachments is
>>>> proprietary and confidential; intended for only the
>>>> recipient(s) named above and may contain information
>>>> that is privileged. You should not retain, copy or use
>>>> this e-mail or any attachments for any purpose, or
>>>> disclose all or any part of the contents to any person.
>>>> Any views or opinions expressed in this e-mail are
>>>> those of the author and do not represent those of the
>>>> Baptist School of Health Professions. If you have
>>>> received this e-mail in error, or are not the named
>>>> recipient(s), you are hereby notified that any review,
>>>> dissemination, distribution or copying of this
>>>> communication is prohibited by the sender and to do so
>>>> might constitute a violation of the Electronic
>>>> Communications Privacy Act, 18 U.S.C. section
>>>> 2510-2521. Please immediately notify the sender and
>>>> delete this e-mail and any attachments from your computer.
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above
>>> and may contain information that is privileged. You should
>>> not retain, copy or use this e-mail or any attachments for
>>> any purpose, or disclose all or any part of the contents to
>>> any person. Any views or opinions expressed in this e-mail
>>> are those of the author and do not represent those of the
>>> Baptist School of Health Professions. If you have received
>>> this e-mail in error, or are not the named recipient(s), you
>>> are hereby notified that any review, dissemination,
>>> distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of
>>> the Electronic Communications Privacy Act, 18 U.S.C. section
>>> 2510-2521. Please immediately notify the sender and delete
>>> this e-mail and any attachments from your computer.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>> --
>> Ing. Ivan Noris
>> Senior Identity Management Engineer
>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>> _____________________________________________
>> "Semper Id(e)M Vix."
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and
>> may contain information that is privileged. You should not
>> retain, copy or use this e-mail or any attachments for any
>> purpose, or disclose all or any part of the contents to any
>> person. Any views or opinions expressed in this e-mail are those
>> of the author and do not represent those of the Baptist School of
>> Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any
>> review, dissemination, distribution or copying of this
>> communication is prohibited by the sender and to do so might
>> constitute a violation of the Electronic Communications Privacy
>> Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>> sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150205/b1b0db6b/attachment.htm>
More information about the midPoint
mailing list