Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
  • The SSO-CAS Login Handler allows ti delegate authentication to a CAS server. It is different from the RemoteUser login handler in that it supports force authentication.
  • This guide assumes you have a running IdP, and that it has already been configured to use CAS. You can do it by following this : https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration.
  • To instruct your resources to use force authentication, see NativeSPSessionInitiator.

 

Download and installation

...

Configuration

Web applications

 

  • Modify the CAS client filters settings in $IDP_INSTALL_DIR/src/main/webapp/WEB-INF/web.xml (do not forget to modify the filter-mappings that were already defined):

    Code Block
    languagehtml/xml
    	<!-- CAS Authentication Filter -->
    	<filter> 
    	 <filter-name>CAS Authentication Filter</filter-name> 
    	 <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> 
    	 <init-param> 
    	  <param-name>casServerLoginUrl</param-name> 
    	  <param-value>https://example.cas.server/cas/login</param-value> 
    	 </init-param> 
    	</filter> 
     
    	<!-- CAS Validation Filter --> 
    	<filter> 
    	 <filter-name>CAS Validation Filter</filter-name> 
    	 <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> 
    	 <init-param> 
    	  <param-name>casServerUrlPrefix</param-name> 
    	  <param-value>https://services-federation.renater.fr/cas</param-value> 
    	 </init-param> 
    	</filter> 
     
    	<!-- CAS Authentication Filter - forceAuthn  -->
    	<filter> 
    	 <filter-name>CAS Authentication Filter - forceAuthn</filter-name> 
    	 <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> 
    	 <init-param> 
    	  <param-name>casServerLoginUrl</param-name> 
    	  <param-value>https://example.cas.server/cas/login</param-value> 
    	 </init-param> 
    	 <init-param> 
    	  <param-name>renew</param-name> 
    	  <param-value>true</param-value> 
    	 </init-param>
    	</filter> 
     
    	<!-- CAS Validation Filter - forceAuthn -->
    	<filter> 
    	 <filter-name>CAS Validation Filter - forceAuthn</filter-name> 
    	 <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> 
    	 <init-param> 
    	  <param-name>casServerUrlPrefix</param-name> 
    	  <param-value>https://services-federation.renater.fr/cas</param-value> 
    	 </init-param> 
    	 <init-param> 
    	  <param-name>renew</param-name> 
    	  <param-value>true</param-value> 
    	 </init-param>
    	</filter> 
     
     
    	<!-- CAS HttpServletRequest Wrapper Filter --> 
    	<filter> 
    	 <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> 
    	 <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> 
    	</filter> 
     
    	<!-- CAS Assertion Thread Local Filter --> 
    	<filter> 
    	 <filter-name>CAS Assertion Thread Local Filter</filter-name> 
    	 <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class> 
    	</filter> 
     
    	<!-- CAS Filter for Shibb RemoteUser --> 
    	<filter-mapping> 
    	 <filter-name>CAS Authentication Filter</filter-name> 
    	 <url-pattern>/Authn/Cas/NoforceAuthn</url-pattern> 
    	 <dispatcher>REQUEST</dispatcher>  
    	 <dispatcher>FORWARD</dispatcher>  
    	</filter-mapping> 
     
    	<filter-mapping> 
    	 <filter-name>CAS Validation Filter</filter-name> 
    	 <url-pattern>/Authn/Cas/NoForceAuthn</url-pattern> 
    	</filter-mapping> 
     
     
    	<filter-mapping> 
    	 <filter-name>CAS Authentication Filter - forceAuthn</filter-name> 
    	 <url-pattern>/Authn/Cas/ForceAuthn</url-pattern>
    	 <dispatcher>REQUEST</dispatcher>  
    	 <dispatcher>FORWARD</dispatcher>  
    	</filter-mapping> 
     
    	<filter-mapping> 
    	 <filter-name>CAS Validation Filter - forceAuthn</filter-name> 
    	 <url-pattern>/Authn/Cas/ForceAuthn</url-pattern>
    	</filter-mapping> 
     
     
    	<filter-mapping> 
    	 <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>  
    	 <url-pattern>/Authn/Cas/*</url-pattern> 
    	</filter-mapping> 
    	<filter-mapping> 
    	 <filter-name>CAS Assertion Thread Local Filter</filter-name>
    	 <url-pattern>/Authn/Cas/*</url-pattern> 
    	</filter-mapping>
  • Modify the remote user servlet mapping (still in this web.xml) :

    Code Block
    languagehtml/xml
        <servlet-mapping>
            <servlet-name>RemoteUserAuthHandler</servlet-name>
            <url-pattern>/Authn/Cas/*</url-pattern>
        </servlet-mapping>
    

Handlers

Define the CentralAuthnService login handler in $IDP_CONFIG_DIR/handler.xml :

  • Define the following namespace and schema in ProfileHandlerGroup :

    Code Block
    languagehtml/xml
        <ph:ProfileHandlerGroup xmlns:ph="urn:mace:shibboleth:2.0:idp:profile-handler"
    			    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    			    xmlns:sclh="fr:renater:ssocashandler"
    			    xsi:schemaLocation="urn:mace:shibboleth:2.0:idp:profile-handler classpath:/schema/shibboleth-2.0-idp-profile-handler.xsd
      									fr:renater:ssocashandler classpath:/schema/ssocasloginhandler.xsd">
  • Define the handler itself:

    Code Block
    languagehtml/xml
        <ph:LoginHandler xsi:type="sclh:CentralAuthnService" casFiltersPath="/Authn/Cas">
            <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
        </ph:LoginHandler>


     You should also comment or delete the RemoteUser login handler definition, since the IdP will not use it anymore.

...