[midPoint] An SSO Contribution to midPoint using Jasig CAS
Jason Everling
jeverling at bshp.edu
Fri Feb 6 14:26:22 CET 2015
No I haven't added those changes yet to my setup. I am actually in the
process of upgrading our CAS SSO environment which is what got me started
thinking about adding this to midpoint. Almost done, a few more tests I
need to run before I deploy it to our cluster then back on midpoint.
Thanks!
JASON
On Fri, Feb 6, 2015 at 7:10 AM, Katarina Valalikova <
k.valalikova at evolveum.com> wrote:
> Hi Jason,
>
> I just want to let you know, that I had bug in the CAS SSO integration
> (stupid copy&paste error). Fix is now available in the master (from
> revision v3.2devel-23-g3d28144), or you can fix it dirrectly in your
> environment.
>
> The problem is that there is a bad reference on UserDetailsService
> implementation. To fix it, you need to open ctx-web-security.xml, find
> definition for 'casAuthenticationProvider' bean and replace 'userService'
> with 'userDetailsService'. The bean should look like the following:
>
> beans:bean id="casAuthenticationProvider"
>
> class="org.springframework.security.cas.authentication.CasAuthenticationProvider">
> <beans:property name="authenticationUserDetailsService">
> <beans:bean
> class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
> <beans:constructor-arg ref="userDetailsService" />
> </beans:bean>
> </beans:property>
> <beans:property name="serviceProperties" ref="serviceProperties" />
> <beans:property name="ticketValidator">
> <beans:bean
> class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
> <beans:constructor-arg index="0" value="https://CASSERVER/cas"
> <https://CASSERVER/cas> />
> </beans:bean>
> </beans:property>
> <beans:property name="key" value="CAS_ID"/>
> </beans:bean>
>
> Hope you didn't get stuck on this,
> regards,
> Katarina Valalikova
>
> Dňa 5. 2. 2015 o 22:17 Jason Everling napísal(a):
>
> That looks good! This will benefit a lot of places that use CAS,
> especially Universities. Using the Java client is better in the long run
> also with a broader set of features than just using Apache.
>
> I am going to test it out and see how it goes,
>
> Awesome work!
>
> JASON
>
> On Thu, Feb 5, 2015 at 11:00 AM, Katarina Valalikova <
> k.valalikova at evolveum.com> wrote:
>
>> Hi Jason,
>>
>> The CAS Client integration is now available in the midPoint's git
>> repository and I wrote brief how to on the wiki page
>> https://wiki.evolveum.com/pages/viewpage.action?pageId=17760854
>>
>> If I've missed something just let me know, I'll fix it.
>>
>> Regards,
>> Katarina Valalikova
>>
>> Dňa 5. 2. 2015 o 15:17 Jason Everling napísal(a):
>>
>> That is great! That is exactly what I was looking at doing and cannot
>> believe I was thinking the same thing that you already accomplished!
>>
>> Cheers!
>> JASON
>>
>> On Thu, Feb 5, 2015 at 2:44 AM, Katarina Valalikova <
>> k.valalikova at evolveum.com> wrote:
>>
>>> Hi Jason,
>>>
>>> few days ago I finished integration of CAS server with midPoint using
>>> CAS client libraries (spring). I've tested it and it works for me. I need
>>> only to push it to the midPoint's git repository and write some notes on
>>> wiki.
>>>
>>> Regards,
>>> Katarina Valalikova
>>>
>>> Dňa 4. 2. 2015 o 19:20 Jason Everling napísal(a):
>>>
>>> I was thinking about directly integrating the Java CAS Client into
>>> midPoint by forking the code then making the changes and adding the CAS
>>> client libraries. This way the CAS Login URL and options to use CAS can be
>>> set in the GUI and this can all be skipped.
>>>
>>> Is this Ok?
>>>
>>> JASON
>>>
>>> On Wed, Feb 4, 2015 at 11:30 AM, Ivan Noris <ivan.noris at evolveum.com>
>>> wrote:
>>>
>>>> Fixed, thanks.
>>>>
>>>> I.
>>>>
>>>>
>>>> On 02/04/2015 05:40 PM, Jason Everling wrote:
>>>>
>>>> That looks good!
>>>>
>>>> I had made a typo on the following,
>>>>
>>>> sudo vi /var/lib/tomcat7/webapps/ctx-web-security.xml
>>>>
>>>> Should be
>>>>
>>>> sudo vi /var/lib/tomcat7/webapps/midpoint/ctx-web-security.xml
>>>>
>>>> JASON
>>>>
>>>> On Wed, Feb 4, 2015 at 8:34 AM, Radovan Semancik <
>>>> radovan.semancik at evolveum.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I have placed it in our wiki:
>>>>> https://wiki.evolveum.com/pages/viewpage.action?pageId=17760847
>>>>>
>>>>> Thanks again!
>>>>>
>>>>> --
>>>>>
>>>>> Radovan Semancik
>>>>> Software Architect
>>>>> evolveum.com
>>>>>
>>>>>
>>>>>
>>>>> On 02/04/2015 03:06 PM, Jason Everling wrote:
>>>>>
>>>>> That is correct!
>>>>>
>>>>> JASON
>>>>>
>>>>> On Wed, Feb 4, 2015 at 8:03 AM, Radovan Semancik <
>>>>> radovan.semancik at evolveum.com> wrote:
>>>>>
>>>>>> Hi Jason,
>>>>>>
>>>>>> Thanks a lot for the contribution. This would really be a nice
>>>>>> addition to our wiki. Just to be completely sure: you were setting up
>>>>>> midPoint as a client (relying party) in a CAS-based SSO system by using a
>>>>>> CAS agent in apache, right?
>>>>>>
>>>>>> --
>>>>>>
>>>>>> Radovan Semancik
>>>>>> Software Architect
>>>>>> evolveum.com
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 02/03/2015 06:11 PM, Jason Everling wrote:
>>>>>>
>>>>>> I have successfully got this working so I wanted to post it so that
>>>>>> if you wanted to include it on your wiki, maybe clean it up so that the
>>>>>> steps look nicer!
>>>>>>
>>>>>> CAS Usernames must match midPoint user "name"
>>>>>>
>>>>>> In this example I am using Apache with Tomcat 7, auth-cas and mod-jk
>>>>>>
>>>>>> Assumed Configuration:
>>>>>>
>>>>>> Apache installed and configured with SSL
>>>>>> Tomcat installed and configured working already with midPoint
>>>>>>
>>>>>> *Apache Configuration*
>>>>>>
>>>>>> sudo apt-get install libapache2-mod-jk libapache2-mod-auth-cas
>>>>>>
>>>>>>
>>>>>> 1. Configure mod-jk
>>>>>>
>>>>>> Create a workers.properties file in /etc/apache2
>>>>>>
>>>>>> sudo vi /etc/apache2/workers.properties
>>>>>>
>>>>>> Add the following
>>>>>>
>>>>>> worker.list=worker1
>>>>>> worker.worker1.port=8009
>>>>>> worker.worker1.host=localhost
>>>>>> worker.worker1.type=ajp13
>>>>>>
>>>>>> 2. Configure apache2 sites
>>>>>>
>>>>>> sudo vi /etc/apache2/sites-available/default-ssl.conf
>>>>>>
>>>>>> Add the following below the first default DocumentRoot /var/www/html
>>>>>>
>>>>>> <Location ~ "/midpoint*">
>>>>>> AuthType CAS
>>>>>> AuthName "CAS"
>>>>>> require valid-user
>>>>>> CasAuthNHeader Cas-User
>>>>>> </Location>
>>>>>>
>>>>>> JkMount /midpoint* worker1
>>>>>>
>>>>>> 3. Configure auth-cas
>>>>>>
>>>>>> sudo vi /etc/apache2/mods-available/auth_cas.conf
>>>>>>
>>>>>> Add the following
>>>>>>
>>>>>> CASCookiePath /var/cache/apache2/mod_auth_cas/
>>>>>> CASLoginURL https://SERVERURL/cas/login
>>>>>> CASValidateURL https://SERVERURL/cas/serviceValidate
>>>>>> CASDebug Off
>>>>>> CASValidateServer On
>>>>>> CASVersion 2
>>>>>> CASSSOEnabled On
>>>>>> #Below is needed, auth-cas will use the server hostname in the
>>>>>> service URL redirect so we will override that, do not add a trailing / or
>>>>>> add /midpoint!
>>>>>> CASRootProxiedAs https://MIDPOINTSERVERURL
>>>>>>
>>>>>> Restart Apache2
>>>>>>
>>>>>> sudo service apache2 restart
>>>>>>
>>>>>> *Tomcat Configuration*
>>>>>>
>>>>>> 1. Confgure tomcat to use the AJP connector
>>>>>>
>>>>>> sudo vi /var/lib/tomcat7/conf/server.xml
>>>>>>
>>>>>> Uncomment the following so that it reads
>>>>>>
>>>>>> <!-- Define an AJP 1.3 Connector on port 8009 -->
>>>>>>
>>>>>> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
>>>>>> *Midpoint Configuration*
>>>>>>
>>>>>> 1. Edit ctx-web-security.xml
>>>>>>
>>>>>> sudo vi /var/lib/tomcat7/webapps/ctx-web-security.xml
>>>>>>
>>>>>> Uncomment the following so that reads
>>>>>>
>>>>>> <!-- For SSO integration use the following: -->
>>>>>> <custom-filter position="PRE_AUTH_FILTER"
>>>>>> ref="requestHeaderAuthenticationFilter" />
>>>>>>
>>>>>> Edit the following value "principalRequestHeader" in the bean
>>>>>> "requestHeaderAuthenticationFilter" so that it reads
>>>>>>
>>>>>> <!-- Following bean is used with pre-authentication based on
>>>>>> HTTP headers (e.g. for SSO integration) -->
>>>>>> <beans:bean id="requestHeaderAuthenticationFilter"
>>>>>> class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
>>>>>> <beans:property name="principalRequestHeader" value="Cas-User"/>
>>>>>> <beans:property name="authenticationManager"
>>>>>> ref="authenticationManager" />
>>>>>> </beans:bean>
>>>>>> Finally restart tomcat7
>>>>>>
>>>>>> sudo service tomcat7 restart
>>>>>>
>>>>>> User can now login to midPoint using CAS
>>>>>>
>>>>>> Thanks,
>>>>>> JASON
>>>>>>
>>>>>>
>>>>>>
>>>>>> CONFIDENTIALITY NOTICE:
>>>>>> This e-mail together with any attachments is proprietary and
>>>>>> confidential; intended for only the recipient(s) named above and may
>>>>>> contain information that is privileged. You should not retain, copy or use
>>>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>>>> of the contents to any person. Any views or opinions expressed in this
>>>>>> e-mail are those of the author and do not represent those of the Baptist
>>>>>> School of Health Professions. If you have received this e-mail in error, or
>>>>>> are not the named recipient(s), you are hereby notified that any review,
>>>>>> dissemination, distribution or copying of this communication is prohibited
>>>>>> by the sender and to do so might constitute a violation of the Electronic
>>>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>>>> notify the sender and delete this e-mail and any attachments from your
>>>>>> computer.
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> midPoint mailing list
>>>>>> midPoint at lists.evolveum.com
>>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> CONFIDENTIALITY NOTICE:
>>>>> This e-mail together with any attachments is proprietary and
>>>>> confidential; intended for only the recipient(s) named above and may
>>>>> contain information that is privileged. You should not retain, copy or use
>>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>>> of the contents to any person. Any views or opinions expressed in this
>>>>> e-mail are those of the author and do not represent those of the Baptist
>>>>> School of Health Professions. If you have received this e-mail in error, or
>>>>> are not the named recipient(s), you are hereby notified that any review,
>>>>> dissemination, distribution or copying of this communication is prohibited
>>>>> by the sender and to do so might constitute a violation of the Electronic
>>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>>> notify the sender and delete this e-mail and any attachments from your
>>>>> computer.
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> midPoint mailing list
>>>>> midPoint at lists.evolveum.com
>>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> CONFIDENTIALITY NOTICE:
>>>> This e-mail together with any attachments is proprietary and
>>>> confidential; intended for only the recipient(s) named above and may
>>>> contain information that is privileged. You should not retain, copy or use
>>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>>> of the contents to any person. Any views or opinions expressed in this
>>>> e-mail are those of the author and do not represent those of the Baptist
>>>> School of Health Professions. If you have received this e-mail in error, or
>>>> are not the named recipient(s), you are hereby notified that any review,
>>>> dissemination, distribution or copying of this communication is prohibited
>>>> by the sender and to do so might constitute a violation of the Electronic
>>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>>> notify the sender and delete this e-mail and any attachments from your
>>>> computer.
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>> --
>>>> Ing. Ivan Noris
>>>> Senior Identity Management Engineer
>>>> evolveum.com evolveum.com/blog/
>>>> _____________________________________________
>>>> "Semper Id(e)M Vix."
>>>>
>>>>
>>>> _______________________________________________
>>>> midPoint mailing list
>>>> midPoint at lists.evolveum.com
>>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>>
>>>>
>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE:
>>> This e-mail together with any attachments is proprietary and
>>> confidential; intended for only the recipient(s) named above and may
>>> contain information that is privileged. You should not retain, copy or use
>>> this e-mail or any attachments for any purpose, or disclose all or any part
>>> of the contents to any person. Any views or opinions expressed in this
>>> e-mail are those of the author and do not represent those of the Baptist
>>> School of Health Professions. If you have received this e-mail in error, or
>>> are not the named recipient(s), you are hereby notified that any review,
>>> dissemination, distribution or copying of this communication is prohibited
>>> by the sender and to do so might constitute a violation of the Electronic
>>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>>> notify the sender and delete this e-mail and any attachments from your
>>> computer.
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>>
>>> _______________________________________________
>>> midPoint mailing list
>>> midPoint at lists.evolveum.com
>>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>>
>>>
>>
>>
>>
>> CONFIDENTIALITY NOTICE:
>> This e-mail together with any attachments is proprietary and
>> confidential; intended for only the recipient(s) named above and may
>> contain information that is privileged. You should not retain, copy or use
>> this e-mail or any attachments for any purpose, or disclose all or any part
>> of the contents to any person. Any views or opinions expressed in this
>> e-mail are those of the author and do not represent those of the Baptist
>> School of Health Professions. If you have received this e-mail in error, or
>> are not the named recipient(s), you are hereby notified that any review,
>> dissemination, distribution or copying of this communication is prohibited
>> by the sender and to do so might constitute a violation of the Electronic
>> Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
>> notify the sender and delete this e-mail and any attachments from your
>> computer.
>>
>>
>> _______________________________________________
>> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>>
>> _______________________________________________
>> midPoint mailing list
>> midPoint at lists.evolveum.com
>> http://lists.evolveum.com/mailman/listinfo/midpoint
>>
>>
>
>
>
> CONFIDENTIALITY NOTICE:
> This e-mail together with any attachments is proprietary and confidential;
> intended for only the recipient(s) named above and may contain information
> that is privileged. You should not retain, copy or use this e-mail or any
> attachments for any purpose, or disclose all or any part of the contents to
> any person. Any views or opinions expressed in this e-mail are those of the
> author and do not represent those of the Baptist School of Health
> Professions. If you have received this e-mail in error, or are not the
> named recipient(s), you are hereby notified that any review, dissemination,
> distribution or copying of this communication is prohibited by the sender
> and to do so might constitute a violation of the Electronic Communications
> Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
> sender and delete this e-mail and any attachments from your computer.
>
>
> _______________________________________________
> midPoint mailing listmidPoint at lists.evolveum.comhttp://lists.evolveum.com/mailman/listinfo/midpoint
>
>
>
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint
>
>
--
CONFIDENTIALITY NOTICE:
This e-mail together with any attachments is proprietary and confidential;
intended for only the recipient(s) named above and may contain information
that is privileged. You should not retain, copy or use this e-mail or any
attachments for any purpose, or disclose all or any part of the contents to
any person. Any views or opinions expressed in this e-mail are those of the
author and do not represent those of the Baptist School of Health
Professions. If you have received this e-mail in error, or are not the
named recipient(s), you are hereby notified that any review, dissemination,
distribution or copying of this communication is prohibited by the sender
and to do so might constitute a violation of the Electronic Communications
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the
sender and delete this e-mail and any attachments from your computer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20150206/de41ecb0/attachment.htm>
More information about the midPoint
mailing list