<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">Hi Jason,<br>
      <br>
      few days ago I finished integration of CAS server with midPoint
      using CAS client libraries (spring). I've tested it and it works
      for me. I need only to push it to the midPoint's git repository
      and write some notes on wiki. <br>
      <br>
      Regards,<br>
      Katarina Valalikova<br>
      <br>
      Dňa 4. 2. 2015 o 19:20 Jason Everling napísal(a):<br>
    </div>
    <blockquote
cite="mid:CAFkZXY7m8LOv+nkKKdGt7BuyMpUAwrZkSEfhXDvwb8dAO0iK7Q@mail.gmail.com"
      type="cite">
      <div dir="ltr">I was thinking about directly integrating the Java
        CAS Client into midPoint by forking the code then making the
        changes and adding the CAS client libraries. This way the CAS
        Login URL and options to use CAS can be set in the GUI and this
        can all be skipped.
        <div><br>
        </div>
        <div>Is this Ok?</div>
        <div><br>
        </div>
        <div>JASON</div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Wed, Feb 4, 2015 at 11:30 AM, Ivan
          Noris <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:ivan.noris@evolveum.com" target="_blank">ivan.noris@evolveum.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000"> Fixed, thanks.<br>
              <br>
              I.
              <div>
                <div class="h5"><br>
                  <br>
                  <div>On 02/04/2015 05:40 PM, Jason Everling wrote:<br>
                  </div>
                  <blockquote type="cite">
                    <div dir="ltr">That looks good!
                      <div><br>
                      </div>
                      <div>I had made a typo on the following,</div>
                      <div><span><br>
                        </span></div>
                      <div><span>sudo vi
                          /var/lib/tomcat7/webapps/ctx-web-security.xml</span></div>
                      <div><span><br>
                        </span></div>
                      <div><span>Should be</span></div>
                      <div><span><br>
                        </span></div>
                      <div><span>sudo vi
                          /var/lib/tomcat7/webapps/midpoint/ctx-web-security.xml</span><span><br>
                        </span></div>
                      <div><span><br>
                        </span></div>
                      <div><span>JASON</span></div>
                    </div>
                    <div class="gmail_extra"><br>
                      <div class="gmail_quote">On Wed, Feb 4, 2015 at
                        8:34 AM, Radovan Semancik <span dir="ltr"><<a
                            moz-do-not-send="true"
                            href="mailto:radovan.semancik@evolveum.com"
                            target="_blank">radovan.semancik@evolveum.com</a>></span>
                        wrote:<br>
                        <blockquote class="gmail_quote" style="margin:0
                          0 0 .8ex;border-left:1px #ccc
                          solid;padding-left:1ex">
                          <div text="#000000" bgcolor="#FFFFFF">
                            <div>Hi,<br>
                              <br>
                              I have placed it in our wiki:<br>
                              <a moz-do-not-send="true"
                                href="https://wiki.evolveum.com/pages/viewpage.action?pageId=17760847"
                                target="_blank">https://wiki.evolveum.com/pages/viewpage.action?pageId=17760847</a><br>
                              <br>
                              Thanks again!<span><br>
                                <br>
                                <pre cols="72">-- 

                                           Radovan Semancik
                                          Software Architect
                                             <a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
                                <br>
                                <br>
                              </span>
                              <div>
                                <div> On 02/04/2015 03:06 PM, Jason
                                  Everling wrote:<br>
                                </div>
                              </div>
                            </div>
                            <div>
                              <div>
                                <blockquote type="cite">
                                  <div dir="ltr">That is correct!
                                    <div><br>
                                    </div>
                                    <div>JASON</div>
                                  </div>
                                  <div class="gmail_extra"><br>
                                    <div class="gmail_quote">On Wed, Feb
                                      4, 2015 at 8:03 AM, Radovan
                                      Semancik <span dir="ltr"><<a
                                          moz-do-not-send="true"
                                          href="mailto:radovan.semancik@evolveum.com"
                                          target="_blank">radovan.semancik@evolveum.com</a>></span>
                                      wrote:<br>
                                      <blockquote class="gmail_quote"
                                        style="margin:0 0 0
                                        .8ex;border-left:1px #ccc
                                        solid;padding-left:1ex">
                                        <div text="#000000"
                                          bgcolor="#FFFFFF">
                                          <div>Hi Jason,<br>
                                            <br>
                                            Thanks a lot for the
                                            contribution. This would
                                            really be a nice addition to
                                            our wiki. Just to be
                                            completely sure: you were
                                            setting up midPoint as a
                                            client (relying party) in a
                                            CAS-based SSO system by
                                            using a CAS agent in apache,
                                            right?<br>
                                            <br>
                                            <pre cols="72">-- 

                                           Radovan Semancik
                                          Software Architect
                                             <a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>
</pre>
                                            <div>
                                              <div> <br>
                                                <br>
                                                On 02/03/2015 06:11 PM,
                                                Jason Everling wrote:<br>
                                              </div>
                                            </div>
                                          </div>
                                          <blockquote type="cite">
                                            <div>
                                              <div>
                                                <div dir="ltr">I have
                                                  successfully got this
                                                  working so I wanted to
                                                  post it so that if you
                                                  wanted to include it
                                                  on your wiki, maybe
                                                  clean it up so that
                                                  the steps look nicer!
                                                  <div><br>
                                                  </div>
                                                  <div>CAS Usernames
                                                    must match midPoint
                                                    user "name"<br>
                                                    <div>
                                                      <div><br>
                                                      </div>
                                                      <div>In this
                                                        example I am
                                                        using Apache
                                                        with Tomcat 7,
                                                        auth-cas and
                                                        mod-jk</div>
                                                      <div><br>
                                                      </div>
                                                      <div>Assumed
                                                        Configuration:</div>
                                                      <div><br>
                                                      </div>
                                                      <div>Apache
                                                        installed and
                                                        configured with
                                                        SSL</div>
                                                      <div>Tomcat
                                                        installed and
                                                        configured
                                                        working already
                                                        with midPoint</div>
                                                      <div><br>
                                                      </div>
                                                      <div><b>Apache
                                                          Configuration</b></div>
                                                      <div><br>
                                                      </div>
                                                      <div>sudo apt-get
                                                        install
                                                        libapache2-mod-jk
libapache2-mod-auth-cas</div>
                                                      <div><br>
                                                      </div>
                                                      <div><br>
                                                      </div>
                                                      <div>1. Configure
                                                        mod-jk</div>
                                                      <div><br>
                                                      </div>
                                                      <div>Create a
                                                        workers.properties
                                                        file in
                                                        /etc/apache2</div>
                                                      <div><br>
                                                      </div>
                                                      <div>sudo vi
                                                        /etc/apache2/workers.properties</div>
                                                      <div><br>
                                                      </div>
                                                      <div>Add the
                                                        following</div>
                                                      <div><br>
                                                      </div>
                                                      <div>worker.list=worker1</div>
                                                      <div>worker.worker1.port=8009</div>
                                                      <div>worker.worker1.host=localhost</div>
                                                      <div>worker.worker1.type=ajp13</div>
                                                      <div><br>
                                                      </div>
                                                      <div>2. Configure
                                                        apache2 sites</div>
                                                      <div><br>
                                                      </div>
                                                      <div>sudo vi
                                                        /etc/apache2/sites-available/default-ssl.conf</div>
                                                      <div><br>
                                                      </div>
                                                      <div>Add the
                                                        following below
                                                        the first
                                                        default
                                                        DocumentRoot
                                                        /var/www/html</div>
                                                      <div><br>
                                                      </div>
                                                      <div><span
                                                          style="white-space:pre-wrap">
                                                        </span><Location
                                                        ~
                                                        "/midpoint*"></div>
                                                      <div> <span
                                                          style="white-space:pre-wrap">
                                                        </span>AuthType
                                                        CAS</div>
                                                      <div> <span
                                                          style="white-space:pre-wrap">
                                                        </span>AuthName
                                                        "CAS"</div>
                                                      <div> <span
                                                          style="white-space:pre-wrap">
                                                        </span>require
                                                        valid-user</div>
                                                      <div> <span
                                                          style="white-space:pre-wrap">
                                                        </span>CasAuthNHeader
                                                        Cas-User</div>
                                                      <div><span
                                                          style="white-space:pre-wrap">
                                                        </span></Location></div>
                                                      <div><br>
                                                      </div>
                                                      <div><span
                                                          style="white-space:pre-wrap">
                                                        </span>JkMount
                                                        /midpoint*
                                                        worker1<span
                                                          style="white-space:pre-wrap">
                                                        </span></div>
                                                      <div><br>
                                                      </div>
                                                      <div>3. Configure
                                                        auth-cas</div>
                                                      <div><br>
                                                      </div>
                                                      <div>sudo vi
                                                        /etc/apache2/mods-available/auth_cas.conf</div>
                                                      <div><br>
                                                      </div>
                                                      <div>Add the
                                                        following</div>
                                                      <div><br>
                                                      </div>
                                                      <div>CASCookiePath
/var/cache/apache2/mod_auth_cas/</div>
                                                      <div>CASLoginURL <a
moz-do-not-send="true" href="https://SERVERURL/cas/login"
                                                          target="_blank">https://SERVERURL/cas/login</a></div>
                                                      <div>CASValidateURL
                                                        <a
                                                          moz-do-not-send="true"
href="https://SERVERURL/cas/serviceValidate" target="_blank">https://SERVERURL/cas/serviceValidate</a></div>
                                                      <div>CASDebug Off</div>
                                                      <div>CASValidateServer
                                                        On</div>
                                                      <div>CASVersion 2</div>
                                                      <div>CASSSOEnabled
                                                        On</div>
                                                      <div>#Below is
                                                        needed, auth-cas
                                                        will use the
                                                        server hostname
                                                        in the service
                                                        URL redirect so
                                                        we will override
                                                        that, do not add
                                                        a trailing / or
                                                        add /midpoint!</div>
                                                      <div>CASRootProxiedAs
                                                        <a
                                                          moz-do-not-send="true"
href="https://MIDPOINTSERVERURL" target="_blank">https://MIDPOINTSERVERURL</a></div>
                                                      <div><br>
                                                      </div>
                                                      <div>Restart
                                                        Apache2</div>
                                                      <div><br>
                                                      </div>
                                                      <div>sudo service
                                                        apache2 restart</div>
                                                      <div><br>
                                                      </div>
                                                      <div><b>Tomcat
                                                          Configuration</b></div>
                                                      <div><br>
                                                      </div>
                                                      <div>1. Confgure
                                                        tomcat to use
                                                        the AJP
                                                        connector</div>
                                                      <div><br>
                                                      </div>
                                                      <div>sudo vi
                                                        /var/lib/tomcat7/conf/server.xml</div>
                                                      <div><br>
                                                      </div>
                                                      <div>Uncomment the
                                                        following so
                                                        that it reads</div>
                                                      <div><br>
                                                      </div>
                                                      <div>    <!--
                                                        Define an AJP
                                                        1.3 Connector on
                                                        port 8009 --></div>
                                                      <div><br>
                                                      </div>
                                                      <div>   
                                                        <Connector
                                                        port="8009"
                                                        protocol="AJP/1.3"
                                                        redirectPort="8443"
                                                        /></div>
                                                      <div><span
                                                          style="white-space:pre-wrap">
                                                        </span></div>
                                                      <div><b>Midpoint
                                                          Configuration</b></div>
                                                      <div><br>
                                                      </div>
                                                      <div>1. Edit
                                                        ctx-web-security.xml</div>
                                                      <div><br>
                                                      </div>
                                                      <div>sudo vi
                                                        /var/lib/tomcat7/webapps/ctx-web-security.xml</div>
                                                      <div><br>
                                                      </div>
                                                      <div>Uncomment the
                                                        following so
                                                        that reads</div>
                                                      <div><br>
                                                      </div>
                                                      <div><span
                                                          style="white-space:pre-wrap">
                                                        </span><!--
                                                        For SSO
                                                        integration use
                                                        the following:
                                                        --></div>
                                                      <div>       
                                                        <custom-filter
                                                        position="PRE_AUTH_FILTER"

                                                        ref="requestHeaderAuthenticationFilter"

                                                        /></div>
                                                      <div><br>
                                                      </div>
                                                      <div>Edit the
                                                        following value
                                                        "principalRequestHeader"
                                                        in the bean
                                                        "requestHeaderAuthenticationFilter"
                                                        so that it reads</div>
                                                      <div><br>
                                                      </div>
                                                      <div>    <!--
                                                        Following bean
                                                        is used with
                                                        pre-authentication
                                                        based on HTTP
                                                        headers (e.g.
                                                        for SSO
                                                        integration)
                                                        --></div>
                                                      <div>   
                                                        <beans:bean
                                                        id="requestHeaderAuthenticationFilter"
class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter"></div>
                                                      <div><span
                                                          style="white-space:pre-wrap">
                                                        </span>  
                                                         <beans:property
                                                        name="principalRequestHeader"

value="Cas-User"/></div>
                                                      <div><span
                                                          style="white-space:pre-wrap">
                                                        </span>  
                                                         <beans:property
                                                        name="authenticationManager"

                                                        ref="authenticationManager"

                                                        /></div>
                                                      <div><span
                                                          style="white-space:pre-wrap">
                                                        </span></beans:bean></div>
                                                      <div><span
                                                          style="white-space:pre-wrap">
                                                        </span></div>
                                                      <div>Finally
                                                        restart tomcat7</div>
                                                      <div><br>
                                                      </div>
                                                      <div>sudo service
                                                        tomcat7 restart</div>
                                                      <div><br>
                                                      </div>
                                                      <div>User can now
                                                        login to
                                                        midPoint using
                                                        CAS</div>
                                                    </div>
                                                  </div>
                                                  <div><br>
                                                  </div>
                                                  <div>Thanks,</div>
                                                  <div>JASON</div>
                                                </div>
                                                <br>
                                              </div>
                                            </div>
                                            <font><br>
                                              <br>
                                              CONFIDENTIALITY NOTICE:<br>
                                              This e-mail together with
                                              any attachments is
                                              proprietary and
                                              confidential; intended for
                                              only the recipient(s)
                                              named above and may
                                              contain information that
                                              is privileged. You should
                                              not retain, copy or use
                                              this e-mail or any
                                              attachments for any
                                              purpose, or disclose all
                                              or any part of the
                                              contents to any person.
                                              Any views or opinions
                                              expressed in this e-mail
                                              are those of the author
                                              and do not represent those
                                              of the Baptist School of
                                              Health Professions. If you
                                              have received this e-mail
                                              in error, or are not the
                                              named recipient(s), you
                                              are hereby notified that
                                              any review, dissemination,
                                              distribution or copying of
                                              this communication is
                                              prohibited by the sender
                                              and to do so might
                                              constitute a violation of
                                              the Electronic
                                              Communications Privacy
                                              Act, 18 U.S.C. section
                                              2510-2521. Please
                                              immediately notify the
                                              sender and delete this
                                              e-mail and any attachments
                                              from your computer. </font><br>
                                            <br>
                                            <fieldset></fieldset>
                                            <br>
                                            <pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
                                          </blockquote>
                                          <br>
                                          <br>
                                        </div>
                                        <br>
_______________________________________________<br>
                                        midPoint mailing list<br>
                                        <a moz-do-not-send="true"
                                          href="mailto:midPoint@lists.evolveum.com"
                                          target="_blank">midPoint@lists.evolveum.com</a><br>
                                        <a moz-do-not-send="true"
                                          href="http://lists.evolveum.com/mailman/listinfo/midpoint"
                                          target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
                                        <br>
                                      </blockquote>
                                    </div>
                                    <br>
                                  </div>
                                  <br>
                                  <font><br>
                                    <br>
                                    CONFIDENTIALITY NOTICE:<br>
                                    This e-mail together with any
                                    attachments is proprietary and
                                    confidential; intended for only the
                                    recipient(s) named above and may
                                    contain information that is
                                    privileged. You should not retain,
                                    copy or use this e-mail or any
                                    attachments for any purpose, or
                                    disclose all or any part of the
                                    contents to any person. Any views or
                                    opinions expressed in this e-mail
                                    are those of the author and do not
                                    represent those of the Baptist
                                    School of Health Professions. If you
                                    have received this e-mail in error,
                                    or are not the named recipient(s),
                                    you are hereby notified that any
                                    review, dissemination, distribution
                                    or copying of this communication is
                                    prohibited by the sender and to do
                                    so might constitute a violation of
                                    the Electronic Communications
                                    Privacy Act, 18 U.S.C. section
                                    2510-2521. Please immediately notify
                                    the sender and delete this e-mail
                                    and any attachments from your
                                    computer. </font><br>
                                  <br>
                                  <fieldset></fieldset>
                                  <br>
                                  <pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
                                </blockquote>
                                <br>
                                <br>
                              </div>
                            </div>
                          </div>
                          <br>
_______________________________________________<br>
                          midPoint mailing list<br>
                          <a moz-do-not-send="true"
                            href="mailto:midPoint@lists.evolveum.com"
                            target="_blank">midPoint@lists.evolveum.com</a><br>
                          <a moz-do-not-send="true"
                            href="http://lists.evolveum.com/mailman/listinfo/midpoint"
                            target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
                          <br>
                        </blockquote>
                      </div>
                      <br>
                    </div>
                    <br>
                    <font><br>
                      <br>
                      CONFIDENTIALITY NOTICE:<br>
                      This e-mail together with any attachments is
                      proprietary and confidential; intended for only
                      the recipient(s) named above and may contain
                      information that is privileged. You should not
                      retain, copy or use this e-mail or any attachments
                      for any purpose, or disclose all or any part of
                      the contents to any person. Any views or opinions
                      expressed in this e-mail are those of the author
                      and do not represent those of the Baptist School
                      of Health Professions. If you have received this
                      e-mail in error, or are not the named
                      recipient(s), you are hereby notified that any
                      review, dissemination, distribution or copying of
                      this communication is prohibited by the sender and
                      to do so might constitute a violation of the
                      Electronic Communications Privacy Act, 18 U.S.C.
                      section 2510-2521. Please immediately notify the
                      sender and delete this e-mail and any attachments
                      from your computer. </font><br>
                    <br>
                    <fieldset></fieldset>
                    <br>
                    <pre>_______________________________________________
midPoint mailing list
<a moz-do-not-send="true" href="mailto:midPoint@lists.evolveum.com" target="_blank">midPoint@lists.evolveum.com</a>
<a moz-do-not-send="true" href="http://lists.evolveum.com/mailman/listinfo/midpoint" target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
                  </blockquote>
                  <br>
                </div>
              </div>
              <span class="HOEnZb"><font color="#888888">
                  <pre cols="72">-- 
  Ing. Ivan Noris
  Senior Identity Management Engineer
  <a moz-do-not-send="true" href="http://evolveum.com" target="_blank">evolveum.com</a>     <a moz-do-not-send="true" href="http://evolveum.com/blog/" target="_blank">evolveum.com/blog/</a>
  _____________________________________________
  "Semper Id(e)M Vix."
</pre>
                </font></span></div>
            <br>
            _______________________________________________<br>
            midPoint mailing list<br>
            <a moz-do-not-send="true"
              href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a><br>
            <a moz-do-not-send="true"
              href="http://lists.evolveum.com/mailman/listinfo/midpoint"
              target="_blank">http://lists.evolveum.com/mailman/listinfo/midpoint</a><br>
            <br>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <font size="2"><br>
        <br>
        CONFIDENTIALITY NOTICE:<br>
        This e-mail together with any attachments is proprietary and
        confidential; intended for only the recipient(s) named above and
        may contain information that is privileged. You should not
        retain, copy or use this e-mail or any attachments for any
        purpose, or disclose all or any part of the contents to any
        person. Any views or opinions expressed in this e-mail are those
        of the author and do not represent those of the Baptist School
        of Health Professions. If you have received this e-mail in
        error, or are not the named recipient(s), you are hereby
        notified that any review, dissemination, distribution or copying
        of this communication is prohibited by the sender and to do so
        might constitute a violation of the Electronic Communications
        Privacy Act, 18 U.S.C. section 2510-2521. Please immediately
        notify the sender and delete this e-mail and any attachments
        from your computer. </font><br>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>