<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi,<br>
<br>
I have placed it in our wiki:<br>
<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/pages/viewpage.action?pageId=17760847">https://wiki.evolveum.com/pages/viewpage.action?pageId=17760847</a><br>
<br>
Thanks again!<br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com
</pre>
<br>
<br>
On 02/04/2015 03:06 PM, Jason Everling wrote:<br>
</div>
<blockquote
cite="mid:CAFkZXY7YReHsWb84_meV_2z1cyMBpn4+svYird5xN9eKHC=6DQ@mail.gmail.com"
type="cite">
<div dir="ltr">That is correct!
<div><br>
</div>
<div>JASON</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Feb 4, 2015 at 8:03 AM, Radovan
Semancik <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:radovan.semancik@evolveum.com"
target="_blank">radovan.semancik@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Hi Jason,<br>
<br>
Thanks a lot for the contribution. This would really be
a nice addition to our wiki. Just to be completely sure:
you were setting up midPoint as a client (relying party)
in a CAS-based SSO system by using a CAS agent in
apache, right?<br>
<br>
<pre cols="72">--
Radovan Semancik
Software Architect
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
<div>
<div class="h5"> <br>
<br>
On 02/03/2015 06:11 PM, Jason Everling wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div class="h5">
<div dir="ltr">I have successfully got this working
so I wanted to post it so that if you wanted to
include it on your wiki, maybe clean it up so that
the steps look nicer!
<div><br>
</div>
<div>CAS Usernames must match midPoint user "name"<br>
<div>
<div><br>
</div>
<div>In this example I am using Apache with
Tomcat 7, auth-cas and mod-jk</div>
<div><br>
</div>
<div>Assumed Configuration:</div>
<div><br>
</div>
<div>Apache installed and configured with SSL</div>
<div>Tomcat installed and configured working
already with midPoint</div>
<div><br>
</div>
<div><b>Apache Configuration</b></div>
<div><br>
</div>
<div>sudo apt-get install libapache2-mod-jk
libapache2-mod-auth-cas</div>
<div><br>
</div>
<div><br>
</div>
<div>1. Configure mod-jk</div>
<div><br>
</div>
<div>Create a workers.properties file in
/etc/apache2</div>
<div><br>
</div>
<div>sudo vi /etc/apache2/workers.properties</div>
<div><br>
</div>
<div>Add the following</div>
<div><br>
</div>
<div>worker.list=worker1</div>
<div>worker.worker1.port=8009</div>
<div>worker.worker1.host=localhost</div>
<div>worker.worker1.type=ajp13</div>
<div><br>
</div>
<div>2. Configure apache2 sites</div>
<div><br>
</div>
<div>sudo vi
/etc/apache2/sites-available/default-ssl.conf</div>
<div><br>
</div>
<div>Add the following below the first default
DocumentRoot /var/www/html</div>
<div><br>
</div>
<div><span style="white-space:pre-wrap"> </span><Location
~ "/midpoint*"></div>
<div> <span style="white-space:pre-wrap"> </span>AuthType
CAS</div>
<div> <span style="white-space:pre-wrap"> </span>AuthName
"CAS"</div>
<div> <span style="white-space:pre-wrap"> </span>require
valid-user</div>
<div> <span style="white-space:pre-wrap"> </span>CasAuthNHeader
Cas-User</div>
<div><span style="white-space:pre-wrap"> </span></Location></div>
<div><br>
</div>
<div><span style="white-space:pre-wrap"> </span>JkMount
/midpoint* worker1<span
style="white-space:pre-wrap"> </span></div>
<div><br>
</div>
<div>3. Configure auth-cas</div>
<div><br>
</div>
<div>sudo vi
/etc/apache2/mods-available/auth_cas.conf</div>
<div><br>
</div>
<div>Add the following</div>
<div><br>
</div>
<div>CASCookiePath
/var/cache/apache2/mod_auth_cas/</div>
<div>CASLoginURL <a moz-do-not-send="true"
href="https://SERVERURL/cas/login"
target="_blank">https://SERVERURL/cas/login</a></div>
<div>CASValidateURL <a moz-do-not-send="true"
href="https://SERVERURL/cas/serviceValidate" target="_blank">https://SERVERURL/cas/serviceValidate</a></div>
<div>CASDebug Off</div>
<div>CASValidateServer On</div>
<div>CASVersion 2</div>
<div>CASSSOEnabled On</div>
<div>#Below is needed, auth-cas will use the
server hostname in the service URL redirect
so we will override that, do not add a
trailing / or add /midpoint!</div>
<div>CASRootProxiedAs <a
moz-do-not-send="true"
href="https://MIDPOINTSERVERURL"
target="_blank">https://MIDPOINTSERVERURL</a></div>
<div><br>
</div>
<div>Restart Apache2</div>
<div><br>
</div>
<div>sudo service apache2 restart</div>
<div><br>
</div>
<div><b>Tomcat Configuration</b></div>
<div><br>
</div>
<div>1. Confgure tomcat to use the AJP
connector</div>
<div><br>
</div>
<div>sudo vi /var/lib/tomcat7/conf/server.xml</div>
<div><br>
</div>
<div>Uncomment the following so that it reads</div>
<div><br>
</div>
<div> <!-- Define an AJP 1.3 Connector
on port 8009 --></div>
<div><br>
</div>
<div> <Connector port="8009"
protocol="AJP/1.3" redirectPort="8443" /></div>
<div><span style="white-space:pre-wrap"> </span></div>
<div><b>Midpoint Configuration</b></div>
<div><br>
</div>
<div>1. Edit ctx-web-security.xml</div>
<div><br>
</div>
<div>sudo vi
/var/lib/tomcat7/webapps/ctx-web-security.xml</div>
<div><br>
</div>
<div>Uncomment the following so that reads</div>
<div><br>
</div>
<div><span style="white-space:pre-wrap"> </span><!--
For SSO integration use the following:
--></div>
<div> <custom-filter
position="PRE_AUTH_FILTER"
ref="requestHeaderAuthenticationFilter"
/></div>
<div><br>
</div>
<div>Edit the following value
"principalRequestHeader" in the bean
"requestHeaderAuthenticationFilter" so that
it reads</div>
<div><br>
</div>
<div> <!-- Following bean is used with
pre-authentication based on HTTP headers
(e.g. for SSO integration) --></div>
<div> <beans:bean
id="requestHeaderAuthenticationFilter"
class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter"></div>
<div><span style="white-space:pre-wrap"> </span>
<beans:property
name="principalRequestHeader"
value="Cas-User"/></div>
<div><span style="white-space:pre-wrap"> </span>
<beans:property
name="authenticationManager"
ref="authenticationManager" /></div>
<div><span style="white-space:pre-wrap"> </span></beans:bean></div>
<div><span style="white-space:pre-wrap"> </span></div>
<div>Finally restart tomcat7</div>
<div><br>
</div>
<div>sudo service tomcat7 restart</div>
<div><br>
</div>
<div>User can now login to midPoint using CAS</div>
</div>
</div>
<div><br>
</div>
<div>Thanks,</div>
<div>JASON</div>
</div>
<br>
</div>
</div>
<font><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is
proprietary and confidential; intended for only the
recipient(s) named above and may contain information
that is privileged. You should not retain, copy or use
this e-mail or any attachments for any purpose, or
disclose all or any part of the contents to any
person. Any views or opinions expressed in this e-mail
are those of the author and do not represent those of
the Baptist School of Health Professions. If you have
received this e-mail in error, or are not the named
recipient(s), you are hereby notified that any review,
dissemination, distribution or copying of this
communication is prohibited by the sender and to do so
might constitute a violation of the Electronic
Communications Privacy Act, 18 U.S.C. section
2510-2521. Please immediately notify the sender and
delete this e-mail and any attachments from your
computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
</div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<font size="2"><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is proprietary and
confidential; intended for only the recipient(s) named above and
may contain information that is privileged. You should not
retain, copy or use this e-mail or any attachments for any
purpose, or disclose all or any part of the contents to any
person. Any views or opinions expressed in this e-mail are those
of the author and do not represent those of the Baptist School
of Health Professions. If you have received this e-mail in
error, or are not the named recipient(s), you are hereby
notified that any review, dissemination, distribution or copying
of this communication is prohibited by the sender and to do so
might constitute a violation of the Electronic Communications
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
notify the sender and delete this e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
</body>
</html>