[midPoint] An SSO Contribution to midPoint using Jasig CAS
Katarina Valalikova
k.valalikova at evolveum.com
Fri Feb 6 14:10:48 CET 2015
Hi Jason,
I just want to let you know, that I had bug in the CAS SSO integration
(stupid copy&paste error). Fix is now available in the master (from
revision v3.2devel-23-g3d28144), or you can fix it dirrectly in your
environment.
The problem is that there is a bad reference on UserDetailsService
implementation. To fix it, you need to open ctx-web-security.xml, find
definition for 'casAuthenticationProvider' bean and replace
'userService' with 'userDetailsService'. The bean should look like the
following:
beans:bean id="casAuthenticationProvider"
class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
<beans:property name="authenticationUserDetailsService">
<beans:bean
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<beans:constructor-arg ref="userDetailsService" />
</beans:bean>
</beans:property>
<beans:property name="serviceProperties" ref="serviceProperties" />
<beans:property name="ticketValidator">
<beans:bean
class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
<beans:constructor-arg index="0" value="https://CASSERVER/cas" />
</beans:bean>
</beans:property>
<beans:property name="key" value="CAS_ID"/>
</beans:bean>
Hope you didn't get stuck on this,
regards,
Katarina Valalikova
Dňa 5. 2. 2015 o 22:17 Jason Everling napísal(a):
> That looks good! This will benefit a lot of places that use CAS,
> especially Universities. Using the Java client is better in the long
> run also with a broader set of features than just using Apache.
>
> I am going to test it out and see how it goes,
>
> Awesome work!
>
> JASON
>
> On Thu, Feb 5, 2015 at 11:00 AM, Katarina Valalikova
> <k.valalikova at evolveum.com <mailto:k.valalikova at evolveum.com>> wrote:
>
> Hi Jason,
>
> The CAS Client integration is now available in the midPoint's git
> repository and I wrote brief how to on the wiki page
> https://wiki.evolveum.com/pages/viewpage.action?pageId=17760854
>
> If I've missed something just let me know, I'll fix it.
>
> Regards,
> Katarina Valalikova
>
> Dňa 5. 2. 2015 o 15:17 Jason Everling napísal(a):
>> That is great! That is exactly what I was looking at doing and
>> cannot believe I was thinking the same thing that you already
>> accomplished!
>>
>> Cheers!
>> JASON
>>
>> On Thu, Feb 5, 2015 at 2:44 AM, Katarina Valalikova
>> <k.valalikova at evolveum.com <mailto:k.valalikova at evolveum.com>> wrote:
>>
>> Hi Jason,
>>
>> few days ago I finished integration of CAS server with
>> midPoint using CAS client libraries (spring). I've tested it
>> and it works for me. I need only to push it to the midPoint's
>> git repository and write some notes on wiki.
>>
>> Regards,
>> Katarina Valalikova
>>
>> Dňa 4. 2. 2015 o 19:20 Jason Everling napísal(a):
>>> I was thinking about directly integrating the Java CAS
>>> Client into midPoint by forking the code then making the
>>> changes and adding the CAS client libraries. This way the
>>> CAS Login URL and options to use CAS can be set in the GUI
>>> and this can all be skipped.
>>>
>>> Is this Ok?
>>>
>>> JASON
>>>
>>> On Wed, Feb 4, 2015 at 11:30 AM, Ivan Noris
>>> <ivan.noris at evolveum.com <mailto:ivan.noris at evolveum.com>>
>>> wrote:
>>>
>>> Fixed, thanks.
>>>
>>> I.
>>>
>>>
>>> On 02/04/2015 05:40 PM, Jason Everling wrote:
>>>> That looks good!
>>>>
>>>> I had made a typo on the following,
>>>>
>>>> sudo vi /var/lib/tomcat7/webapps/ctx-web-security.xml
>>>>
>>>> Should be
>>>>
>>>> sudo vi
>>>> /var/lib/tomcat7/webapps/midpoint/ctx-web-security.xml
>>>>
>>>> JASON
>>>>
>>>> On Wed, Feb 4, 2015 at 8:34 AM, Radovan Semancik
>>>> <radovan.semancik at evolveum.com
>>>> <mailto:radovan.semancik at evolveum.com>> wrote:
>>>>
>>>> Hi,
>>>>
>>>> I have placed it in our wiki:
>>>> https://wiki.evolveum.com/pages/viewpage.action?pageId=17760847
>>>>
>>>> Thanks again!
>>>>
>>>> --
>>>>
>>>> Radovan Semancik
>>>> Software Architect
>>>> evolveum.com <http://evolveum.com>
>>>>
>>>>
>>>>
>>>> On 02/04/2015 03:06 PM, Jason Everling wrote:
>>>>> That is correct!
>>>>>
>>>>> JASON
>>>>>
>>>>> On Wed, Feb 4, 2015 at 8:03 AM, Radovan Semancik
>>>>> <radovan.semancik at evolveum.com
>>>>> <mailto:radovan.semancik at evolveum.com>> wrote:
>>>>>
>>>>> Hi Jason,
>>>>>
>>>>> Thanks a lot for the contribution. This would
>>>>> really be a nice addition to our wiki. Just to
>>>>> be completely sure: you were setting up
>>>>> midPoint as a client (relying party) in a
>>>>> CAS-based SSO system by using a CAS agent in
>>>>> apache, right?
>>>>>
>>>>> --
>>>>>
>>>>> Radovan Semancik
>>>>> Software Architect
>>>>> evolveum.com <http://evolveum.com>
>>>>>
>>>>>
>>>>>
>>>>> On 02/03/2015 06:11 PM, Jason Everling wrote:
>>>>>> I have successfully got this working so I
>>>>>> wanted to post it so that if you wanted to
>>>>>> include it on your wiki, maybe clean it up so
>>>>>> that the steps look nicer!
>>>>>>
>>>>>> CAS Usernames must match midPoint user "name"
>>>>>>
>>>>>> In this example I am using Apache with Tomcat
>>>>>> 7, auth-cas and mod-jk
>>>>>>
>>>>>> Assumed Configuration:
>>>>>>
>>>>>> Apache installed and configured with SSL
>>>>>> Tomcat installed and configured working
>>>>>> already with midPoint
>>>>>>
>>>>>> *Apache Configuration*
>>>>>>
>>>>>> sudo apt-get install libapache2-mod-jk
>>>>>> libapache2-mod-auth-cas
>>>>>>
>>>>>>
>>>>>> 1. Configure mod-jk
>>>>>>
>>>>>> Create a workers.properties file in /etc/apache2
>>>>>>
>>>>>> sudo vi /etc/apache2/workers.properties
>>>>>>
>>>>>> Add the following
>>>>>>
>>>>>> worker.list=worker1
>>>>>> worker.worker1.port=8009
>>>>>> worker.worker1.host=localhost
>>>>>> worker.worker1.type=ajp13
>>>>>>
>>>>>> 2. Configure apache2 sites
>>>>>>
>>>>>> sudo vi
>>>>>> /etc/apache2/sites-available/default-ssl.conf
>>>>>>
>>>>>> Add the following below the first default
>>>>>> DocumentRoot /var/www/html
>>>>>>
>>>>>> <Location ~ "/midpoint*">
>>>>>> AuthType CAS
>>>>>> AuthName "CAS"
>>>>>> require valid-user
>>>>>> CasAuthNHeader Cas-User
>>>>>> </Location>
>>>>>>
>>>>>> JkMount /midpoint* worker1
>>>>>>
>>>>>> 3. Configure auth-cas
>>>>>>
>>>>>> sudo vi /etc/apache2/mods-available/auth_cas.conf
>>>>>>
>>>>>> Add the following
>>>>>>
>>>>>> CASCookiePath /var/cache/apache2/mod_auth_cas/
>>>>>> CASLoginURL https://SERVERURL/cas/login
>>>>>> CASValidateURL
>>>>>> https://SERVERURL/cas/serviceValidate
>>>>>> CASDebug Off
>>>>>> CASValidateServer On
>>>>>> CASVersion 2
>>>>>> CASSSOEnabled On
>>>>>> #Below is needed, auth-cas will use the
>>>>>> server hostname in the service URL redirect
>>>>>> so we will override that, do not add a
>>>>>> trailing / or add /midpoint!
>>>>>> CASRootProxiedAs https://MIDPOINTSERVERURL
>>>>>>
>>>>>> Restart Apache2
>>>>>>
>>>>>> sudo service apache2 restart
>>>>>>
>>>>>> *Tomcat Configuration*
>>>>>>
>>>>>> 1. Confgure tomcat to use the AJP connector
>>>>>>
>>>>>> sudo vi /var/lib/tomcat7/conf/server.xml
>>>>>>
>>>>>> Uncomment the following so that it reads
>>>>>>
>>>>>> <!-- Define an AJP 1.3 Connector on port 8009 -->
>>>>>>
>>>>>> <Connector port="8009" protocol="AJP/1.3"
>>>>>> redirectPort="8443" />
>>>>>> *Midpoint Configuration*
>>>>>>
>>>>>> 1. Edit ctx-web-security.xml
>>>>>>
>>>>>> sudo vi
>>>>>> /var/lib/tomcat7/webapps/ctx-web-security.xml
>>>>>>
>>>>>> Uncomment the following so that reads
>>>>>>
>>>>>> <!-- For SSO integration use the following: -->
>>>>>> <custom-filter position="PRE_AUTH_FILTER"
>>>>>> ref="requestHeaderAuthenticationFilter" />
>>>>>>
>>>>>> Edit the following value
>>>>>> "principalRequestHeader" in the bean
>>>>>> "requestHeaderAuthenticationFilter" so that
>>>>>> it reads
>>>>>>
>>>>>> <!-- Following bean is used with
>>>>>> pre-authentication based on HTTP headers
>>>>>> (e.g. for SSO integration) -->
>>>>>> <beans:bean
>>>>>> id="requestHeaderAuthenticationFilter"
>>>>>> class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
>>>>>> <beans:property
>>>>>> name="principalRequestHeader" value="Cas-User"/>
>>>>>> <beans:property name="authenticationManager"
>>>>>> ref="authenticationManager" />
>>>>>> </beans:bean>
>>>>>> Finally restart tomcat7
>>>>>>
>>>>>> sudo service tomcat7 restart
>>>>>>
>>>>>> User can now login to midPoint using CAS
>>>>>>
>>>>>> Thanks,
>>>>>> JASON
>>>>>>
>>>>>>
>>>>>>
>>>>>> CONFIDENTIALITY NOTICE:
>>>>>> This e-mail together with any attachments is
>>>>>> proprietary and confidential; intended for
>>>>>> only the recipient(s) named above and may
>>>>>> contain information that is privileged. You
>>>>>> should not retain, copy or use this e-mail or
>>>>>> any attachments for any purpose, or disclose
>>>>>> all or any part of the contents to any
>>>>>> person. Any views or opinions expressed in
>>>>>> this e-mail are those of the author and do
>>>>>> not represent those of the Baptist School of
>>>>>> Health Professions. If you have received this
>>>>>> e-mail in error, or are not the named
>>>>>> recipient(s), you are hereby notified that
>>>>>> any review, dissemination, distribution or
>>>>>> copying of this communication is prohibited
>>>>>> by the sender and to do so might constitute a
>>>>>> violation of the Electronic Communications
>>>>>> Privacy Act, 18 U.S.C. section 2510-2521.
>>>>>> Please immediately notify the sender and
>>>>>> delete this e-mail and any attachments from
>>>>>> your computer.
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> <mailto:midPoint at lists.evolveum.com>
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> CONFIDENTIALITY NOTICE:
>>>>> This e-mail together with any attachments is
>>>>> proprietary and confidential; intended for only
>>>>> the recipient(s) named above and may contain
>>>>> information that is privileged. You should not
>>>>> retain, copy or use this e-mail or any attachments
>>>>> for any purpose, or disclose all or any part of
>>>>> the contents to any person. Any views or opinions
>>>>> expressed in this e-mail are those of the author
>>>>> and do not represent those of the Baptist School
>>>>> of Health Professions. If you have received this
>>>>> e-mail in error, or are not the named
>>>>> recipient(s), you are hereby notified that any
>>>>> review, dissemination, distribution or copying of
>>>>> this communication is prohibited by the sender and
>>>>> to do so might constitute a violation of the
>>>>> Electronic Communications Privacy Act, 18 U.S.C.
>>>>> section 2510-2521. Please immediately notify the
>>>>> sender and delete this e-mail and any attachments
>>>>> from your computer.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> <mailto:midPoint at lists.evolveum.com>
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE:
>>>> This e-mail together with any attachments is
>>>> proprietary and confidential; intended for only the
>>>> recipient(s) named above and may contain information
>>>> that is privileged. You should not retain, copy or use
>>>> this e-mail or any attachments for any purpose, or
>>>> disclose all or any part of the contents to any person.
>>>> Any views or opinions expressed in this e-mail are
>>>> those of the author and do not represent those of the
>>>> Baptist School of Health Professions. If you have
>>>> received this e-mail in error, or are not the named
>>>> recipient(s), you are hereby notified that any review,
>>>> dissemination, distribution or copying of this
>>>> communication is prohibited by the sender and to do so
>>>> might constitute a violation of the Electronic
>>>> Communications Privacy Act, 18 U.S.C. section
>>>> 2510-2521. Please immediately notify the sender and
>>>> delete this e-mail and any attachments from your computer.
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>> --
>>> Ing. Ivan Noris
>>> Senior Identity Management Engineer
>>> evolveum.com <http://evolveum.com> evolveum.com/blog/ <http://evolveum.com/blog/>
>>> _____________________________________________
>>> "Semper Id(e)M Vix."
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above
>>> and may contain information that is privileged. You should
>>> not retain, copy or use this e-mail or any attachments for
>>> any purpose, or disclose all or any part of the contents to
>>> any person. Any views or opinions expressed in this e-mail
>>> are those of the author and do not represent those of the
>>> Baptist School of Health Professions. If you have received
>>> this e-mail in error, or are not the named recipient(s), you
>>> are hereby notified that any review, dissemination,
>>> distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of
>>> the Electronic Communications Privacy Act, 18 U.S.C. section
>>> 2510-2521. Please immediately notify the sender and delete
>>> this e-mail and any attachments from your computer.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and
>> may contain information that is privileged. You should not
>> retain, copy or use this e-mail or any attachments for any
>> purpose, or disclose all or any part of the contents to any
>> person. Any views or opinions expressed in this e-mail are those
>> of the author and do not represent those of the Baptist School of
>> Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any
>> review, dissemination, distribution or copying of this
>> communication is prohibited by the sender and to do so might
>> constitute a violation of the Electronic Communications Privacy
>> Act, 18 U.S.C. section 2510-2521. Please immediately notify the
>> sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com <mailto:midPoint at lists.evolveum.com>
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and
> confidential; intended for only the recipient(s) named above and may
> contain information that is privileged. You should not retain, copy or
> use this e-mail or any attachments for any purpose, or disclose all or
> any part of the contents to any person. Any views or opinions
> expressed in this e-mail are those of the author and do not represent
> those of the Baptist School of Health Professions. If you have
> received this e-mail in error, or are not the named recipient(s), you
> are hereby notified that any review, dissemination, distribution or
> copying of this communication is prohibited by the sender and to do so
> might constitute a violation of the Electronic Communications Privacy
> Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender
> and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150206/0e82c277/attachment.htm>
More information about the midPoint
mailing list