- The SSO-CAS Login Handler allows ti to delegate authentication to a CAS server. It is different from the RemoteUser login handler in that it supports force authentication.
- This guide assumes you have a running IdP, and that it has already been configured to use CAS. You can do it by following this : https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration.
- To instruct your resources to use force authentication, see NativeSPSessionInitiator.
...
- The SSO-CAS Login Handler is compatible with any 2.X IdP, 3.X CAS client and 3.X CAS server.
Download and installation
...
Code Block |
---|
svn export https://subversion.renater.fr/ssocashandler/trunk/ ssocas-login-handler cd ssocas-login-handler mvn package |
This will create the latest ssocas-login-handler-x.x.jar in your ssocas-login-handler/target/ directory.
Installation
The first step is to add the JAR (downloaded or obtained through the source code) into the library of your IdP's installation directory :
Code Block |
---|
cp ssocas-login-handler-0.1.jar $IDP_INSTALL_DIR/lib |
Info |
---|
You |
...
could then |
...
re-install the IdP, but it's no use doing it right now since the following configuration modifications will also require a re-installation. |
Configuration
Web applications
...
Info |
---|
You might be interested in maintaining your own web.xml configuration file in the IdP configuration directory. See Advanced Installation Topics there: IdPInstall |
Modify the CAS client filters settings in $IDP_INSTALL_DIR/src/main/webapp/WEB-INF/web.xml (do not forget to modify the filter-mappings that were already defined):
Code Block
...
language html/xml <!-- CAS Authentication Filter --> <filter> <filter-name>CAS Authentication Filter</filter-name>
...
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param>
...
<param-name>casServerLoginUrl</param-name>
...
<param-value>https://example.cas.server/cas/login</param-value> </init-param>
...
</filter> <!-- CAS Validation Filter --> <filter> <filter-name>CAS Validation Filter</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://
...
example.
...
cas.
...
server/cas</param-value> </init-param> </filter> <!-- CAS Authentication Filter - forceAuthn --> <filter> <filter-name>CAS Authentication Filter - forceAuthn</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>https://example.cas.server/cas/login</param-value> </init-param> <init-param> <param-name>renew</param-name> <param-value>true</param-value> </init-param> </filter> <!-- CAS Validation Filter - forceAuthn --> <filter> <filter-name>CAS Validation Filter - forceAuthn</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://
...
example.
...
cas.
...
server/cas</param-value> </init-param> <init-param> <param-name>renew</param-name> <param-value>true</param-value> </init-param> </filter> <!-- CAS HttpServletRequest Wrapper Filter --> <filter> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> </filter> <!-- CAS Assertion Thread Local Filter --> <filter> <filter-name>CAS Assertion Thread Local Filter</filter-name> <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class> </filter> <!-- CAS
...
Filters Mappings -->
...
<filter-mapping> <filter-name>CAS Authentication Filter</filter-name> <url-pattern>/Authn/Cas/
...
NoForceAuthn</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> </filter-mapping> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/Authn/Cas/NoForceAuthn</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Authentication Filter - forceAuthn</filter-name> <url-pattern>/Authn/Cas/ForceAuthn</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> </filter-mapping> <filter-mapping> <filter-name>CAS Validation Filter - forceAuthn</filter-name> <url-pattern>/Authn/Cas/ForceAuthn</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/Authn/Cas/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Assertion Thread Local Filter</filter-name> <url-pattern>/Authn/Cas/*</url-pattern> </filter-mapping>
Modify the remote user servlet mapping (still in this web.xml):
Code Block
...
language html/xml <servlet-mapping>
...
...
<servlet-name>RemoteUserAuthHandler</servlet-name>
...
<url-pattern>/Authn/Cas/*</url-pattern>
...
</servlet-mapping>
Handlers
Define the CentralAuthnService login handler in $IDP_CONFIG_DIR/handler.xml :
Define the following namespace and schema in ProfileHandlerGroup :
Code Block language html/xml <ph:ProfileHandlerGroup xmlns:ph="urn:mace:shibboleth:2.0:idp:profile-handler" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sclh="fr:renater:ssocashandler" xsi:schemaLocation="urn:mace:shibboleth:2.0:idp:profile-handler classpath:/schema/shibboleth-2.0-idp-profile-handler.xsd fr:renater:ssocashandler classpath:/schema/ssocasloginhandler.xsd">
Define the handler itself:
Code Block language html/xml <ph:LoginHandler xsi:type="sclh:CentralAuthnService" casFiltersPath="/Authn/Cas"> <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod> </ph:LoginHandler>
Info |
---|
You should also comment or delete the RemoteUser login handler definition, since the IdP will not use it anymore. |
Logs
Optionally ,if you want your new login handler to log, you have to add the following lines in $IDP_CONFIG_DIR/logging.xml (setting level to ERROR or DEBUG):
Code Block | ||
---|---|---|
| ||
<!-- Logs from SSO-CAS Login Handler --> <logger |
...
name="fr.renater.ssocashandler" level="DEBUG"/> |
You will get the logs produced by the handler in the usual idp-process.log.
Deployment
You can now re-install the IdP :
Code Block |
---|
cd $IDP_INSTALL_DIR
./install.sh |
and restart your container to end the installation of the login handler.