<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi Jason,<br>
<br>
few days ago I finished integration of CAS server with midPoint
using CAS client libraries (spring). I've tested it and it works
for me. I need only to push it to the midPoint's git repository
and write some notes on wiki. <br>
<br>
Regards,<br>
Katarina Valalikova<br>
<br>
Dňa 4. 2. 2015 o 19:20 Jason Everling napísal(a):<br>
</div>
<blockquote
cite="mid:CAFkZXY7m8LOv+nkKKdGt7BuyMpUAwrZkSEfhXDvwb8dAO0iK7Q@mail.gmail.com"
type="cite">
<div dir="ltr">I was thinking about directly integrating the Java
CAS Client into midPoint by forking the code then making the
changes and adding the CAS client libraries. This way the CAS
Login URL and options to use CAS can be set in the GUI and this
can all be skipped.
<div><br>
</div>
<div>Is this Ok?</div>
<div><br>
</div>
<div>JASON</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Feb 4, 2015 at 11:30 AM, Ivan
Noris <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> Fixed, thanks.<br>
<br>
I.
<div>
<div class="h5"><br>
<br>
<div>On 02/04/2015 05:40 PM, Jason Everling wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">That looks good!
<div><br>
</div>
<div>I had made a typo on the following,</div>
<div><span><br>
</span></div>
<div><span>sudo vi
/var/lib/tomcat7/webapps/ctx-web-security.xml</span></div>
<div><span><br>
</span></div>
<div><span>Should be</span></div>
<div><span><br>
</span></div>
<div><span>sudo vi
/var/lib/tomcat7/webapps/midpoint/ctx-web-security.xml</span><span><br>
</span></div>
<div><span><br>
</span></div>
<div><span>JASON</span></div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Feb 4, 2015 at
8:34 AM, Radovan Semancik <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:radovan.semancik@evolveum.com"
target="_blank">radovan.semancik@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div>Hi,<br>
<br>
I have placed it in our wiki:<br>
<a moz-do-not-send="true"
href="https://wiki.evolveum.com/pages/viewpage.action?pageId=17760847"
target="_blank">https://wiki.evolveum.com/pages/viewpage.action?pageId=17760847</a><br>
<br>
Thanks again!<span><br>
<br>
<pre cols="72">--
Radovan Semancik
Software Architect
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
<br>
<br>
</span>
<div>
<div> On 02/04/2015 03:06 PM, Jason
Everling wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote type="cite">
<div dir="ltr">That is correct!
<div><br>
</div>
<div>JASON</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Feb
4, 2015 at 8:03 AM, Radovan
Semancik <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:radovan.semancik@evolveum.com"
target="_blank">radovan.semancik@evolveum.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div text="#000000"
bgcolor="#FFFFFF">
<div>Hi Jason,<br>
<br>
Thanks a lot for the
contribution. This would
really be a nice addition to
our wiki. Just to be
completely sure: you were
setting up midPoint as a
client (relying party) in a
CAS-based SSO system by
using a CAS agent in apache,
right?<br>
<br>
<pre cols="72">--
Radovan Semancik
Software Architect
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
<div>
<div> <br>
<br>
On 02/03/2015 06:11 PM,
Jason Everling wrote:<br>
</div>
</div>
</div>
<blockquote type="cite">
<div>
<div>
<div dir="ltr">I have
successfully got this
working so I wanted to
post it so that if you
wanted to include it
on your wiki, maybe
clean it up so that
the steps look nicer!
<div><br>
</div>
<div>CAS Usernames
must match midPoint
user "name"<br>
<div>
<div><br>
</div>
<div>In this
example I am
using Apache
with Tomcat 7,
auth-cas and
mod-jk</div>
<div><br>
</div>
<div>Assumed
Configuration:</div>
<div><br>
</div>
<div>Apache
installed and
configured with
SSL</div>
<div>Tomcat
installed and
configured
working already
with midPoint</div>
<div><br>
</div>
<div><b>Apache
Configuration</b></div>
<div><br>
</div>
<div>sudo apt-get
install
libapache2-mod-jk
libapache2-mod-auth-cas</div>
<div><br>
</div>
<div><br>
</div>
<div>1. Configure
mod-jk</div>
<div><br>
</div>
<div>Create a
workers.properties
file in
/etc/apache2</div>
<div><br>
</div>
<div>sudo vi
/etc/apache2/workers.properties</div>
<div><br>
</div>
<div>Add the
following</div>
<div><br>
</div>
<div>worker.list=worker1</div>
<div>worker.worker1.port=8009</div>
<div>worker.worker1.host=localhost</div>
<div>worker.worker1.type=ajp13</div>
<div><br>
</div>
<div>2. Configure
apache2 sites</div>
<div><br>
</div>
<div>sudo vi
/etc/apache2/sites-available/default-ssl.conf</div>
<div><br>
</div>
<div>Add the
following below
the first
default
DocumentRoot
/var/www/html</div>
<div><br>
</div>
<div><span
style="white-space:pre-wrap">
</span><Location
~
"/midpoint*"></div>
<div> <span
style="white-space:pre-wrap">
</span>AuthType
CAS</div>
<div> <span
style="white-space:pre-wrap">
</span>AuthName
"CAS"</div>
<div> <span
style="white-space:pre-wrap">
</span>require
valid-user</div>
<div> <span
style="white-space:pre-wrap">
</span>CasAuthNHeader
Cas-User</div>
<div><span
style="white-space:pre-wrap">
</span></Location></div>
<div><br>
</div>
<div><span
style="white-space:pre-wrap">
</span>JkMount
/midpoint*
worker1<span
style="white-space:pre-wrap">
</span></div>
<div><br>
</div>
<div>3. Configure
auth-cas</div>
<div><br>
</div>
<div>sudo vi
/etc/apache2/mods-available/auth_cas.conf</div>
<div><br>
</div>
<div>Add the
following</div>
<div><br>
</div>
<div>CASCookiePath
/var/cache/apache2/mod_auth_cas/</div>
<div>CASLoginURL <a
moz-do-not-send="true" href="https://SERVERURL/cas/login"
target="_blank">https://SERVERURL/cas/login</a></div>
<div>CASValidateURL
<a
moz-do-not-send="true"
href="https://SERVERURL/cas/serviceValidate" target="_blank">https://SERVERURL/cas/serviceValidate</a></div>
<div>CASDebug Off</div>
<div>CASValidateServer
On</div>
<div>CASVersion 2</div>
<div>CASSSOEnabled
On</div>
<div>#Below is
needed, auth-cas
will use the
server hostname
in the service
URL redirect so
we will override
that, do not add
a trailing / or
add /midpoint!</div>
<div>CASRootProxiedAs
<a
moz-do-not-send="true"
href="https://MIDPOINTSERVERURL" target="_blank">https://MIDPOINTSERVERURL</a></div>
<div><br>
</div>
<div>Restart
Apache2</div>
<div><br>
</div>
<div>sudo service
apache2 restart</div>
<div><br>
</div>
<div><b>Tomcat
Configuration</b></div>
<div><br>
</div>
<div>1. Confgure
tomcat to use
the AJP
connector</div>
<div><br>
</div>
<div>sudo vi
/var/lib/tomcat7/conf/server.xml</div>
<div><br>
</div>
<div>Uncomment the
following so
that it reads</div>
<div><br>
</div>
<div> <!--
Define an AJP
1.3 Connector on
port 8009 --></div>
<div><br>
</div>
<div>
<Connector
port="8009"
protocol="AJP/1.3"
redirectPort="8443"
/></div>
<div><span
style="white-space:pre-wrap">
</span></div>
<div><b>Midpoint
Configuration</b></div>
<div><br>
</div>
<div>1. Edit
ctx-web-security.xml</div>
<div><br>
</div>
<div>sudo vi
/var/lib/tomcat7/webapps/ctx-web-security.xml</div>
<div><br>
</div>
<div>Uncomment the
following so
that reads</div>
<div><br>
</div>
<div><span
style="white-space:pre-wrap">
</span><!--
For SSO
integration use
the following:
--></div>
<div>
<custom-filter
position="PRE_AUTH_FILTER"
ref="requestHeaderAuthenticationFilter"
/></div>
<div><br>
</div>
<div>Edit the
following value
"principalRequestHeader"
in the bean
"requestHeaderAuthenticationFilter"
so that it reads</div>
<div><br>
</div>
<div> <!--
Following bean
is used with
pre-authentication
based on HTTP
headers (e.g.
for SSO
integration)
--></div>
<div>
<beans:bean
id="requestHeaderAuthenticationFilter"
class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter"></div>
<div><span
style="white-space:pre-wrap">
</span>
<beans:property
name="principalRequestHeader"
value="Cas-User"/></div>
<div><span
style="white-space:pre-wrap">
</span>
<beans:property
name="authenticationManager"
ref="authenticationManager"
/></div>
<div><span
style="white-space:pre-wrap">
</span></beans:bean></div>
<div><span
style="white-space:pre-wrap">
</span></div>
<div>Finally
restart tomcat7</div>
<div><br>
</div>
<div>sudo service
tomcat7 restart</div>
<div><br>
</div>
<div>User can now
login to
midPoint using
CAS</div>
</div>
</div>
<div><br>
</div>
<div>Thanks,</div>
<div>JASON</div>
</div>
<br>
</div>
</div>
<font><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with
any attachments is
proprietary and
confidential; intended for
only the recipient(s)
named above and may
contain information that
is privileged. You should
not retain, copy or use
this e-mail or any
attachments for any
purpose, or disclose all
or any part of the
contents to any person.
Any views or opinions
expressed in this e-mail
are those of the author
and do not represent those
of the Baptist School of
Health Professions. If you
have received this e-mail
in error, or are not the
named recipient(s), you
are hereby notified that
any review, dissemination,
distribution or copying of
this communication is
prohibited by the sender
and to do so might
constitute a violation of
the Electronic
Communications Privacy
Act, 18 U.S.C. section
2510-2521. Please
immediately notify the
sender and delete this
e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
</div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com"
target="_blank">midPoint@lists.evolveum.com</a><br>
<a moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<font><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any
attachments is proprietary and
confidential; intended for only the
recipient(s) named above and may
contain information that is
privileged. You should not retain,
copy or use this e-mail or any
attachments for any purpose, or
disclose all or any part of the
contents to any person. Any views or
opinions expressed in this e-mail
are those of the author and do not
represent those of the Baptist
School of Health Professions. If you
have received this e-mail in error,
or are not the named recipient(s),
you are hereby notified that any
review, dissemination, distribution
or copying of this communication is
prohibited by the sender and to do
so might constitute a violation of
the Electronic Communications
Privacy Act, 18 U.S.C. section
2510-2521. Please immediately notify
the sender and delete this e-mail
and any attachments from your
computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
</div>
</div>
</div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com"
target="_blank">midPoint@lists.evolveum.com</a><br>
<a moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<font><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is
proprietary and confidential; intended for only
the recipient(s) named above and may contain
information that is privileged. You should not
retain, copy or use this e-mail or any attachments
for any purpose, or disclose all or any part of
the contents to any person. Any views or opinions
expressed in this e-mail are those of the author
and do not represent those of the Baptist School
of Health Professions. If you have received this
e-mail in error, or are not the named
recipient(s), you are hereby notified that any
review, dissemination, distribution or copying of
this communication is prohibited by the sender and
to do so might constitute a violation of the
Electronic Communications Privacy Act, 18 U.S.C.
section 2510-2521. Please immediately notify the
sender and delete this e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset></fieldset>
<br>
<pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</div>
</div>
<span class="HOEnZb"><font color="#888888">
<pre cols="72">--
Ing. Ivan Noris
Senior Identity Management Engineer
<a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a> <a moz-do-not-send="true" href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
_____________________________________________
"Semper Id(e)M Vix."
</pre>
</font></span></div>
<br>
_______________________________________________<br>
midPoint mailing list<br>
<a moz-do-not-send="true"
href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
<a moz-do-not-send="true"
href="http://lists.evolveum.com/mailman/listinfo/midpoint"
target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<font size="2"><br>
<br>
CONFIDENTIALITY NOTICE:<br>
This e-mail together with any attachments is proprietary and
confidential; intended for only the recipient(s) named above and
may contain information that is privileged. You should not
retain, copy or use this e-mail or any attachments for any
purpose, or disclose all or any part of the contents to any
person. Any views or opinions expressed in this e-mail are those
of the author and do not represent those of the Baptist School
of Health Professions. If you have received this e-mail in
error, or are not the named recipient(s), you are hereby
notified that any review, dissemination, distribution or copying
of this communication is prohibited by the sender and to do so
might constitute a violation of the Electronic Communications
Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
notify the sender and delete this e-mail and any attachments
from your computer. </font><br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
</body>
</html>