Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3
  • The SSO-CAS Login Handler allows ti to delegate authentication to a CAS server. It is different from the RemoteUser login handler in that it supports force authentication.
  • This guide assumes you have a running IdP, and that it has already been configured to use CAS. You can do it by following this : https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration.
  • To instruct your resources to use force authentication, see NativeSPSessionInitiator.
  • The SSO-CAS Login Handler is compatible with any 2.X IdP, 3.X CAS client and 3.X CAS server.

Download and installation

...

Code Block
svn export https://subversion.renater.fr/ssocashandler/trunk/ ssocas-login-handler
cd ssocas-login-handler
mvn package

This will create the latest ssocas-login-handler-x.x.jar in your ssocas-login-handler/target/ directory.

Installation

The first step is to add the JAR (downloaded or obtained through the source code) into the library of your IdP's installation directory :

Code Block
cp ssocas-login-handler-0.1.jar $IDP_INSTALL_DIR/lib
Info

You

...

could then

...

re-install the IdP, but it's no use doing it right now since the following configuration modifications will also require a re-installation.

Configuration

Web applications

...

Info

You might be interested in maintaining your own web.xml configuration file in the IdP configuration directory. See Advanced Installation Topics there: IdPInstall

  • Modify the CAS client filters settings in $IDP_INSTALL_DIR/src/main/webapp/WEB-INF/web.xml (do not forget to modify the filter-mappings that were already defined):

    Code Block
    languagehtml/xml
    	    <!-- CAS Authentication Filter -->
    	<filter> 
    	 <filter-name>CAS Authentication Filter</filter-name> 
    	 <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> 
    	 <init-param>
    
    	  <param-name>casServerLoginUrl</param-name>
    
    	  <param-value>https://example.cas.server/cas/login</param-value> 
    	 </init-param>
    
    	</filter> 
     
    	<!-- CAS Validation Filter --> 
    	<filter> 
    	 <filter-name>CAS Validation Filter</filter-name> 
    	 <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> 
    	 <init-param> 
    	  <param-name>casServerUrlPrefix</param-name> 
    	  <param-value>https://services-federationexample.renatercas.frserver/cas</param-value> 
    	 </init-param> 
    	</filter> 
     
    	<!-- CAS Authentication Filter - forceAuthn  -->
    	<filter> 
    	 <filter-name>CAS Authentication Filter - forceAuthn</filter-name> 
    	 <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> 
    	 <init-param> 
    	  <param-name>casServerLoginUrl</param-name> 
    	  <param-value>https://example.cas.server/cas/login</param-value> 
    	 </init-param> 
    	 <init-param> 
    	  <param-name>renew</param-name> 
    	  <param-value>true</param-value> 
    	 </init-param>
    	</filter> 
     
    	<!-- CAS Validation Filter - forceAuthn -->
    	<filter> 
    	 <filter-name>CAS Validation Filter - forceAuthn</filter-name> 
    	 <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> 
    	 <init-param> 
    	  <param-name>casServerUrlPrefix</param-name> 
    	  <param-value>https://services-federationexample.renatercas.frserver/cas</param-value> 
    	 </init-param> 
    	 <init-param> 
    	  <param-name>renew</param-name> 
    	  <param-value>true</param-value> 
    	 </init-param>
    	</filter> 
     
     
    	<!-- CAS HttpServletRequest Wrapper Filter --> 
    	<filter> 
    	 <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> 
    	 <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> 
    	</filter> 
     
    	<!-- CAS Assertion Thread Local Filter --> 
    	<filter> 
    	 <filter-name>CAS Assertion Thread Local Filter</filter-name> 
    	 <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class> 
    	</filter> 
     
    	<!-- CAS FilterFilters forMappings Shibb RemoteUser -->
    
    	<filter    <filter-mapping> 
    	 <filter-name>CAS Authentication Filter</filter-name> 
    	 <url-pattern>/Authn/Cas/NoforceAuthn<NoForceAuthn</url-pattern> 
    	 <dispatcher>REQUEST</dispatcher>  
    	 <dispatcher>FORWARD</dispatcher>  
    	</filter-mapping> 
     
    	<filter-mapping> 
    	 <filter-name>CAS Validation Filter</filter-name> 
    	 <url-pattern>/Authn/Cas/NoForceAuthn</url-pattern> 
    	</filter-mapping> 
     
     
    	<filter-mapping> 
    	 <filter-name>CAS Authentication Filter - forceAuthn</filter-name> 
    	 <url-pattern>/Authn/Cas/ForceAuthn</url-pattern>
    	 <dispatcher>REQUEST</dispatcher>  
    	 <dispatcher>FORWARD</dispatcher>  
    	</filter-mapping> 
     
    	<filter-mapping> 
    	 <filter-name>CAS Validation Filter - forceAuthn</filter-name> 
    	 <url-pattern>/Authn/Cas/ForceAuthn</url-pattern>
    	</filter-mapping> 
     
     
    	<filter-mapping> 
    	 <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>  
    	 <url-pattern>/Authn/Cas/*</url-pattern> 
    	</filter-mapping> 
    	<filter-mapping> 
    	 <filter-name>CAS Assertion Thread Local Filter</filter-name>
    	 <url-pattern>/Authn/Cas/*</url-pattern> 
    	</filter-mapping>
  • Modify the remote user servlet mapping (still in this web.xml):

    Code Block
    languagehtml/xml
        <servlet-mapping>
      
         <servlet-name>RemoteUserAuthHandler</servlet-name>
            <url-pattern>/Authn/Cas/*</url-pattern>
       
    </servlet-mapping>
    

Handlers

...

  • Define the following namespace and schema in ProfileHandlerGroup :

    Code Block
    languagehtml/xml
        <ph:ProfileHandlerGroup xmlns:ph="urn:mace:shibboleth:2.0:idp:profile-handler"
    			    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    			    xmlns:sclh="fr:renater:ssocashandler"
    			    xsi:schemaLocation="urn:mace:shibboleth:2.0:idp:profile-handler classpath:/schema/shibboleth-2.0-idp-profile-handler.xsd
      									fr:renater:ssocashandler classpath:/schema/ssocasloginhandler.xsd">

 

  • Define the handler itself:

    Code Block
    languagehtml/xml
        <ph:LoginHandler xsi:type="sclh:CentralAuthnService" casFiltersPath="/Authn/Cas">
    
           <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
        </ph:LoginHandler>
     You

 

Info

You should also comment or delete the RemoteUser login handler definition, since the IdP will not use it anymore

 

Logs

Optionally ,if you want your new login handler to log, you have to add the following lines in $IDP_CONFIG_DIR/logging.xml (setting level to ERROR or DEBUG):

Code Block
languagehtml/xml
<!-- Logs from SSO-CAS Login Handler -->
<logger name="fr.renater.ssocashandler" level="DEBUG"/>

You will get the logs produced by the handler in the usual idp-process.log.

Deployment

You can now re-install the IdP :

...