<div dir="ltr">I was thinking about directly integrating the Java CAS Client into midPoint by forking the code then making the changes and adding the CAS client libraries. This way the CAS Login URL and options to use CAS can be set in the GUI and this can all be skipped.<div><br></div><div>Is this Ok?</div><div><br></div><div>JASON</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 4, 2015 at 11:30 AM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000">
    Fixed, thanks.<br>
    <br>
    I.<div><div class="h5"><br>
    <br>
    <div>On 02/04/2015 05:40 PM, Jason Everling
      wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">That looks good!
        <div><br>
        </div>
        <div>I had made a typo on the following,</div>
        <div><span><br>
          </span></div>
        <div><span>sudo
            vi /var/lib/tomcat7/webapps/ctx-web-security.xml</span></div>
        <div><span><br>
          </span></div>
        <div><span>Should
            be</span></div>
        <div><span><br>
          </span></div>
        <div><span>sudo
            vi /var/lib/tomcat7/webapps/midpoint/ctx-web-security.xml</span><span><br>
          </span></div>
        <div><span><br>
          </span></div>
        <div><span>JASON</span></div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Wed, Feb 4, 2015 at 8:34 AM, Radovan
          Semancik <span dir="ltr"><<a href="mailto:radovan.semancik@evolveum.com" target="_blank">radovan.semancik@evolveum.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div text="#000000" bgcolor="#FFFFFF">
              <div>Hi,<br>
                <br>
                I have placed it in our wiki:<br>
                <a href="https://wiki.evolveum.com/pages/viewpage.action?pageId=17760847" target="_blank">https://wiki.evolveum.com/pages/viewpage.action?pageId=17760847</a><br>
                <br>
                Thanks again!<span><br>
                  <br>
                  <pre cols="72">-- 

                                           Radovan Semancik
                                          Software Architect
                                             <a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
                  <br>
                  <br>
                </span>
                <div>
                  <div> On 02/04/2015 03:06 PM, Jason
                    Everling wrote:<br>
                  </div>
                </div>
              </div>
              <div>
                <div>
                  <blockquote type="cite">
                    <div dir="ltr">That is correct!
                      <div><br>
                      </div>
                      <div>JASON</div>
                    </div>
                    <div class="gmail_extra"><br>
                      <div class="gmail_quote">On Wed, Feb 4, 2015 at
                        8:03 AM, Radovan Semancik <span dir="ltr"><<a href="mailto:radovan.semancik@evolveum.com" target="_blank">radovan.semancik@evolveum.com</a>></span>
                        wrote:<br>
                        <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                          <div text="#000000" bgcolor="#FFFFFF">
                            <div>Hi Jason,<br>
                              <br>
                              Thanks a lot for the contribution. This
                              would really be a nice addition to our
                              wiki. Just to be completely sure: you were
                              setting up midPoint as a client (relying
                              party) in a CAS-based SSO system by using
                              a CAS agent in apache, right?<br>
                              <br>
                              <pre cols="72">-- 

                                           Radovan Semancik
                                          Software Architect
                                             <a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
                              <div>
                                <div> <br>
                                  <br>
                                  On 02/03/2015 06:11 PM, Jason Everling
                                  wrote:<br>
                                </div>
                              </div>
                            </div>
                            <blockquote type="cite">
                              <div>
                                <div>
                                  <div dir="ltr">I have successfully got
                                    this working so I wanted to post it
                                    so that if you wanted to include it
                                    on your wiki, maybe clean it up so
                                    that the steps look nicer!
                                    <div><br>
                                    </div>
                                    <div>CAS Usernames must match
                                      midPoint user "name"<br>
                                      <div>
                                        <div><br>
                                        </div>
                                        <div>In this example I am using
                                          Apache with Tomcat 7, auth-cas
                                          and mod-jk</div>
                                        <div><br>
                                        </div>
                                        <div>Assumed Configuration:</div>
                                        <div><br>
                                        </div>
                                        <div>Apache installed and
                                          configured with SSL</div>
                                        <div>Tomcat installed and
                                          configured working already
                                          with midPoint</div>
                                        <div><br>
                                        </div>
                                        <div><b>Apache Configuration</b></div>
                                        <div><br>
                                        </div>
                                        <div>sudo apt-get install
                                          libapache2-mod-jk
                                          libapache2-mod-auth-cas</div>
                                        <div><br>
                                        </div>
                                        <div><br>
                                        </div>
                                        <div>1. Configure mod-jk</div>
                                        <div><br>
                                        </div>
                                        <div>Create a workers.properties
                                          file in /etc/apache2</div>
                                        <div><br>
                                        </div>
                                        <div>sudo vi
                                          /etc/apache2/workers.properties</div>
                                        <div><br>
                                        </div>
                                        <div>Add the following</div>
                                        <div><br>
                                        </div>
                                        <div>worker.list=worker1</div>
                                        <div>worker.worker1.port=8009</div>
                                        <div>worker.worker1.host=localhost</div>
                                        <div>worker.worker1.type=ajp13</div>
                                        <div><br>
                                        </div>
                                        <div>2. Configure apache2 sites</div>
                                        <div><br>
                                        </div>
                                        <div>sudo vi
                                          /etc/apache2/sites-available/default-ssl.conf</div>
                                        <div><br>
                                        </div>
                                        <div>Add the following below the
                                          first default DocumentRoot
                                          /var/www/html</div>
                                        <div><br>
                                        </div>
                                        <div><span style="white-space:pre-wrap">
                                          </span><Location ~
                                          "/midpoint*"></div>
                                        <div> <span style="white-space:pre-wrap">
                                          </span>AuthType CAS</div>
                                        <div> <span style="white-space:pre-wrap">
                                          </span>AuthName "CAS"</div>
                                        <div> <span style="white-space:pre-wrap">
                                          </span>require valid-user</div>
                                        <div> <span style="white-space:pre-wrap">
                                          </span>CasAuthNHeader Cas-User</div>
                                        <div><span style="white-space:pre-wrap">
                                          </span></Location></div>
                                        <div><br>
                                        </div>
                                        <div><span style="white-space:pre-wrap">
                                          </span>JkMount /midpoint*
                                          worker1<span style="white-space:pre-wrap">
                                          </span></div>
                                        <div><br>
                                        </div>
                                        <div>3. Configure auth-cas</div>
                                        <div><br>
                                        </div>
                                        <div>sudo vi
                                          /etc/apache2/mods-available/auth_cas.conf</div>
                                        <div><br>
                                        </div>
                                        <div>Add the following</div>
                                        <div><br>
                                        </div>
                                        <div>CASCookiePath
                                          /var/cache/apache2/mod_auth_cas/</div>
                                        <div>CASLoginURL <a href="https://SERVERURL/cas/login" target="_blank">https://SERVERURL/cas/login</a></div>
                                        <div>CASValidateURL <a href="https://SERVERURL/cas/serviceValidate" target="_blank">https://SERVERURL/cas/serviceValidate</a></div>
                                        <div>CASDebug Off</div>
                                        <div>CASValidateServer On</div>
                                        <div>CASVersion 2</div>
                                        <div>CASSSOEnabled On</div>
                                        <div>#Below is needed, auth-cas
                                          will use the server hostname
                                          in the service URL redirect so
                                          we will override that, do not
                                          add a trailing / or add
                                          /midpoint!</div>
                                        <div>CASRootProxiedAs <a href="https://MIDPOINTSERVERURL" target="_blank">https://MIDPOINTSERVERURL</a></div>
                                        <div><br>
                                        </div>
                                        <div>Restart Apache2</div>
                                        <div><br>
                                        </div>
                                        <div>sudo service apache2
                                          restart</div>
                                        <div><br>
                                        </div>
                                        <div><b>Tomcat Configuration</b></div>
                                        <div><br>
                                        </div>
                                        <div>1. Confgure tomcat to use
                                          the AJP connector</div>
                                        <div><br>
                                        </div>
                                        <div>sudo vi
                                          /var/lib/tomcat7/conf/server.xml</div>
                                        <div><br>
                                        </div>
                                        <div>Uncomment the following so
                                          that it reads</div>
                                        <div><br>
                                        </div>
                                        <div>    <!-- Define an AJP
                                          1.3 Connector on port 8009
                                          --></div>
                                        <div><br>
                                        </div>
                                        <div>    <Connector
                                          port="8009" protocol="AJP/1.3"
                                          redirectPort="8443" /></div>
                                        <div><span style="white-space:pre-wrap">
                                          </span></div>
                                        <div><b>Midpoint Configuration</b></div>
                                        <div><br>
                                        </div>
                                        <div>1. Edit
                                          ctx-web-security.xml</div>
                                        <div><br>
                                        </div>
                                        <div>sudo vi
                                          /var/lib/tomcat7/webapps/ctx-web-security.xml</div>
                                        <div><br>
                                        </div>
                                        <div>Uncomment the following so
                                          that reads</div>
                                        <div><br>
                                        </div>
                                        <div><span style="white-space:pre-wrap">
                                          </span><!-- For SSO
                                          integration use the following:
                                          --></div>
                                        <div>        <custom-filter
                                          position="PRE_AUTH_FILTER"
                                          ref="requestHeaderAuthenticationFilter"
                                          /></div>
                                        <div><br>
                                        </div>
                                        <div>Edit the following value
                                          "principalRequestHeader" in
                                          the bean
                                          "requestHeaderAuthenticationFilter"
                                          so that it reads</div>
                                        <div><br>
                                        </div>
                                        <div>    <!-- Following bean
                                          is used with
                                          pre-authentication based on
                                          HTTP headers (e.g. for SSO
                                          integration) --></div>
                                        <div>    <beans:bean
                                          id="requestHeaderAuthenticationFilter"
class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter"></div>
                                        <div><span style="white-space:pre-wrap">
                                          </span>    <beans:property
                                          name="principalRequestHeader"
                                          value="Cas-User"/></div>
                                        <div><span style="white-space:pre-wrap">
                                          </span>    <beans:property
                                          name="authenticationManager"
                                          ref="authenticationManager"
                                          /></div>
                                        <div><span style="white-space:pre-wrap">
                                          </span></beans:bean></div>
                                        <div><span style="white-space:pre-wrap">
                                          </span></div>
                                        <div>Finally restart tomcat7</div>
                                        <div><br>
                                        </div>
                                        <div>sudo service tomcat7
                                          restart</div>
                                        <div><br>
                                        </div>
                                        <div>User can now login to
                                          midPoint using CAS</div>
                                      </div>
                                    </div>
                                    <div><br>
                                    </div>
                                    <div>Thanks,</div>
                                    <div>JASON</div>
                                  </div>
                                  <br>
                                </div>
                              </div>
                              <font><br>
                                <br>
                                CONFIDENTIALITY NOTICE:<br>
                                This e-mail together with any
                                attachments is proprietary and
                                confidential; intended for only the
                                recipient(s) named above and may contain
                                information that is privileged. You
                                should not retain, copy or use this
                                e-mail or any attachments for any
                                purpose, or disclose all or any part of
                                the contents to any person. Any views or
                                opinions expressed in this e-mail are
                                those of the author and do not represent
                                those of the Baptist School of Health
                                Professions. If you have received this
                                e-mail in error, or are not the named
                                recipient(s), you are hereby notified
                                that any review, dissemination,
                                distribution or copying of this
                                communication is prohibited by the
                                sender and to do so might constitute a
                                violation of the Electronic
                                Communications Privacy Act, 18 U.S.C.
                                section 2510-2521. Please immediately
                                notify the sender and delete this e-mail
                                and any attachments from your computer.
                              </font><br>
                              <br>
                              <fieldset></fieldset>
                              <br>
                              <pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
                            </blockquote>
                            <br>
                            <br>
                          </div>
                          <br>
_______________________________________________<br>
                          midPoint mailing list<br>
                          <a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
                          <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
                          <br>
                        </blockquote>
                      </div>
                      <br>
                    </div>
                    <br>
                    <font><br>
                      <br>
                      CONFIDENTIALITY NOTICE:<br>
                      This e-mail together with any attachments is
                      proprietary and confidential; intended for only
                      the recipient(s) named above and may contain
                      information that is privileged. You should not
                      retain, copy or use this e-mail or any attachments
                      for any purpose, or disclose all or any part of
                      the contents to any person. Any views or opinions
                      expressed in this e-mail are those of the author
                      and do not represent those of the Baptist School
                      of Health Professions. If you have received this
                      e-mail in error, or are not the named
                      recipient(s), you are hereby notified that any
                      review, dissemination, distribution or copying of
                      this communication is prohibited by the sender and
                      to do so might constitute a violation of the
                      Electronic Communications Privacy Act, 18 U.S.C.
                      section 2510-2521. Please immediately notify the
                      sender and delete this e-mail and any attachments
                      from your computer. </font><br>
                    <br>
                    <fieldset></fieldset>
                    <br>
                    <pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
                  </blockquote>
                  <br>
                  <br>
                </div>
              </div>
            </div>
            <br>
            _______________________________________________<br>
            midPoint mailing list<br>
            <a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
            <a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
            <br>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <font><br>
        <br>
        CONFIDENTIALITY NOTICE:<br>
        This e-mail together with any attachments is proprietary and
        confidential; intended for only the recipient(s) named above and
        may contain information that is privileged. You should not
        retain, copy or use this e-mail or any attachments for any
        purpose, or disclose all or any part of the contents to any
        person. Any views or opinions expressed in this e-mail are those
        of the author and do not represent those of the Baptist School
        of Health Professions. If you have received this e-mail in
        error, or are not the named recipient(s), you are hereby
        notified that any review, dissemination, distribution or copying
        of this communication is prohibited by the sender and to do so
        might constitute a violation of the Electronic Communications
        Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
        notify the sender and delete this e-mail and any attachments
        from your computer. </font><br>
      <br>
      <fieldset></fieldset>
      <br>
      <pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
    <br>
    </div></div><span class="HOEnZb"><font color="#888888"><pre cols="72">-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  <a href="http://evolveum.com" target="_blank">evolveum.com</a>     <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
  _____________________________________________
  "Semper Id(e)M Vix."
</pre>
  </font></span></div>

<br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>

<br>
<font size="2"><br><br>CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </font><br>