<div dir="ltr">I was thinking about directly integrating the Java CAS Client into midPoint by forking the code then making the changes and adding the CAS client libraries. This way the CAS Login URL and options to use CAS can be set in the GUI and this can all be skipped.<div><br></div><div>Is this Ok?</div><div><br></div><div>JASON</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 4, 2015 at 11:30 AM, Ivan Noris <span dir="ltr"><<a href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
Fixed, thanks.<br>
<br>
I.<div><div class="h5"><br>
<br>
<div>On 02/04/2015 05:40 PM, Jason Everling
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">That looks good!
<div><br>
</div>
<div>I had made a typo on the following,</div>
<div><span><br>
</span></div>
<div><span>sudo
vi /var/lib/tomcat7/webapps/ctx-web-security.xml</span></div>
<div><span><br>
</span></div>
<div><span>Should
be</span></div>
<div><span><br>
</span></div>
<div><span>sudo
vi /var/lib/tomcat7/webapps/midpoint/ctx-web-security.xml</span><span><br>
</span></div>
<div><span><br>
</span></div>
<div><span>JASON</span></div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Feb 4, 2015 at 8:34 AM, Radovan
Semancik <span dir="ltr"><<a href="mailto:radovan.semancik@evolveum.com" target="_blank">radovan.semancik@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Hi,<br>
<br>
I have placed it in our wiki:<br>
<a href="https://wiki.evolveum.com/pages/viewpage.action?pageId=17760847" target="_blank">https://wiki.evolveum.com/pages/viewpage.action?pageId=17760847</a><br>
<br>
Thanks again!<span><br>
<br>
<pre cols="72">--
Radovan Semancik
Software Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
<br>
<br>
</span>
<div>
<div> On 02/04/2015 03:06 PM, Jason
Everling wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote type="cite">
<div dir="ltr">That is correct!
<div><br>
</div>
<div>JASON</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Feb 4, 2015 at
8:03 AM, Radovan Semancik <span dir="ltr"><<a href="mailto:radovan.semancik@evolveum.com" target="_blank">radovan.semancik@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Hi Jason,<br>
<br>
Thanks a lot for the contribution. This
would really be a nice addition to our
wiki. Just to be completely sure: you were
setting up midPoint as a client (relying
party) in a CAS-based SSO system by using
a CAS agent in apache, right?<br>
<br>
<pre cols="72">--
Radovan Semancik
Software Architect
<a href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
<div>
<div> <br>
<br>
On 02/03/2015 06:11 PM, Jason Everling
wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">I have successfully got
this working so I wanted to post it
so that if you wanted to include it
on your wiki, maybe clean it up so
that the steps look nicer!
<div><br>
</div>
<div>CAS Usernames must match
midPoint user "name"<br>
<div>
<div><br>
</div>
<div>In this example I am using
Apache with Tomcat 7, auth-cas
and mod-jk</div>
<div><br>
</div>
<div>Assumed Configuration:</div>
<div><br>
</div>
<div>Apache installed and
configured with SSL</div>
<div>Tomcat installed and
configured working already
with midPoint</div>
<div><br>
</div>
<div><b>Apache Configuration</b></div>
<div><br>
</div>
<div>sudo apt-get install
libapache2-mod-jk
libapache2-mod-auth-cas</div>
<div><br>
</div>
<div><br>
</div>
<div>1. Configure mod-jk</div>
<div><br>
</div>
<div>Create a workers.properties
file in /etc/apache2</div>
<div><br>
</div>
<div>sudo vi
/etc/apache2/workers.properties</div>
<div><br>
</div>
<div>Add the following</div>
<div><br>
</div>
<div>worker.list=worker1</div>
<div>worker.worker1.port=8009</div>
<div>worker.worker1.host=localhost</div>
<div>worker.worker1.type=ajp13</div>
<div><br>
</div>
<div>2. Configure apache2 sites</div>
<div><br>
</div>
<div>sudo vi
/etc/apache2/sites-available/default-ssl.conf</div>
<div><br>
</div>
<div>Add the following below the
first default DocumentRoot
/var/www/html</div>
<div><br>
</div>
<div><span style="white-space:pre-wrap">
</span><Location ~
"/midpoint*"></div>
<div> <span style="white-space:pre-wrap">
</span>AuthType CAS</div>
<div> <span style="white-space:pre-wrap">
</span>AuthName "CAS"</div>
<div> <span style="white-space:pre-wrap">
</span>require valid-user</div>
<div> <span style="white-space:pre-wrap">
</span>CasAuthNHeader Cas-User</div>
<div><span style="white-space:pre-wrap">
</span></Location></div>
<div><br>
</div>
<div><span style="white-space:pre-wrap">
</span>JkMount /midpoint*
worker1<span style="white-space:pre-wrap">
</span></div>
<div><br>
</div>
<div>3. Configure auth-cas</div>
<div><br>
</div>
<div>sudo vi
/etc/apache2/mods-available/auth_cas.conf</div>
<div><br>
</div>
<div>Add the following</div>
<div><br>
</div>
<div>CASCookiePath
/var/cache/apache2/mod_auth_cas/</div>
<div>CASLoginURL <a href="https://SERVERURL/cas/login" target="_blank">https://SERVERURL/cas/login</a></div>
<div>CASValidateURL <a href="https://SERVERURL/cas/serviceValidate" target="_blank">https://SERVERURL/cas/serviceValidate</a></div>
<div>CASDebug Off</div>
<div>CASValidateServer On</div>
<div>CASVersion 2</div>
<div>CASSSOEnabled On</div>
<div>#Below is needed, auth-cas
will use the server hostname
in the service URL redirect so
we will override that, do not
add a trailing / or add
/midpoint!</div>
<div>CASRootProxiedAs <a href="https://MIDPOINTSERVERURL" target="_blank">https://MIDPOINTSERVERURL</a></div>
<div><br>
</div>
<div>Restart Apache2</div>
<div><br>
</div>
<div>sudo service apache2
restart</div>
<div><br>
</div>
<div><b>Tomcat Configuration</b></div>
<div><br>
</div>
<div>1. Confgure tomcat to use
the AJP connector</div>
<div><br>
</div>
<div>sudo vi
/var/lib/tomcat7/conf/server.xml</div>
<div><br>
</div>
<div>Uncomment the following so
that it reads</div>
<div><br>
</div>
<div> <!-- Define an AJP
1.3 Connector on port 8009
--></div>
<div><br>
</div>
<div> <Connector
port="8009" protocol="AJP/1.3"
redirectPort="8443" /></div>
<div><span style="white-space:pre-wrap">
</span></div>
<div><b>Midpoint Configuration</b></div>
<div><br>
</div>
<div>1. Edit
ctx-web-security.xml</div>
<div><br>
</div>
<div>sudo vi
/var/lib/tomcat7/webapps/ctx-web-security.xml</div>
<div><br>
</div>
<div>Uncomment the following so
that reads</div>
<div><br>
</div>
<div><span style="white-space:pre-wrap">
</span><!-- For SSO
integration use the following:
--></div>
<div> <custom-filter
position="PRE_AUTH_FILTER"
ref="requestHeaderAuthenticationFilter"
/></div>
<div><br>
</div>
<div>Edit the following value
"principalRequestHeader" in
the bean
"requestHeaderAuthenticationFilter"
so that it reads</div>
<div><br>
</div>
<div> <!-- Following bean
is used with
pre-authentication based on
HTTP headers (e.g. for SSO
integration) --></div>
<div> <beans:bean
id="requestHeaderAuthenticationFilter"
class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter"></div>
<div><span style="white-space:pre-wrap">
</span> <beans:property
name="principalRequestHeader"
value="Cas-User"/></div>
<div><span style="white-space:pre-wrap">
</span> <beans:property
name="authenticationManager"
ref="authenticationManager"
/></div>
<div><span style="white-space:pre-wrap">
</span></beans:bean></div>
<div><span style="white-space:pre-wrap">
</span></div>
<div>Finally restart tomcat7</div>
<div><br>
</div>
<div>sudo service tomcat7
restart</div>
<div><br>
</div>
<div>User can now login to
midPoint using CAS</div>
</div>
</div>
<div><br>
</div>
<div>Thanks,</div>
<div>JASON</div>
</div>
<br>
</div>
</div>
<font><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any
attachments is proprietary and
confidential; intended for only the
recipient(s) named above and may contain
information that is privileged. You
should not retain, copy or use this
e-mail or any attachments for any
purpose, or disclose all or any part of
the contents to any person. Any views or
opinions expressed in this e-mail are
those of the author and do not represent
those of the Baptist School of Health
Professions. If you have received this
e-mail in error, or are not the named
recipient(s), you are hereby notified
that any review, dissemination,
distribution or copying of this
communication is prohibited by the
sender and to do so might constitute a
violation of the Electronic
Communications Privacy Act, 18 U.S.C.
section 2510-2521. Please immediately
notify the sender and delete this e-mail
and any attachments from your computer.
</font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
</div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<font><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is
proprietary and confidential; intended for only
the recipient(s) named above and may contain
information that is privileged. You should not
retain, copy or use this e-mail or any attachments
for any purpose, or disclose all or any part of
the contents to any person. Any views or opinions
expressed in this e-mail are those of the author
and do not represent those of the Baptist School
of Health Professions. If you have received this
e-mail in error, or are not the named
recipient(s), you are hereby notified that any
review, dissemination, distribution or copying of
this communication is prohibited by the sender and
to do so might constitute a violation of the
Electronic Communications Privacy Act, 18 U.S.C.
section 2510-2521. Please immediately notify the
sender and delete this e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<font><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is proprietary and
confidential; intended for only the recipient(s) named above and
may contain information that is privileged. You should not
retain, copy or use this e-mail or any attachments for any
purpose, or disclose all or any part of the contents to any
person. Any views or opinions expressed in this e-mail are those
of the author and do not represent those of the Baptist School
of Health Professions. If you have received this e-mail in
error, or are not the named recipient(s), you are hereby
notified that any review, dissemination, distribution or copying
of this communication is prohibited by the sender and to do so
might constitute a violation of the Electronic Communications
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
notify the sender and delete this e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div></div><span class="HOEnZb"><font color="#888888"><pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a href="http://evolveum.com" target="_blank">evolveum.com</a> <a href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</font></span></div>
<br>_______________________________________________<br>
midPoint mailing list<br>
<a href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br></blockquote></div><br></div>
<br>
<font size="2"><br><br>CONFIDENTIALITY NOTICE:<br>This e-mail together with any attachments is proprietary and confidential; intended for only the recipient(s) named above and may contain information that is privileged. You should not retain, copy or use this e-mail or any attachments for any purpose, or disclose all or any part of the contents to any person. Any views or opinions expressed in this e-mail are those of the author and do not represent those of the Baptist School of Health Professions. If you have received this e-mail in error, or are not the named recipient(s), you are hereby notified that any review, dissemination, distribution or copying of this communication is prohibited by the sender and to do so might constitute a violation of the Electronic Communications Privacy Act, 18 U.S.C. section 2510-2521. Please immediately notify the sender and delete this e-mail and any attachments from your computer. </font><br>