The SSO-CAS Login Handler allows to delegate authentication to a CAS server. It is different from the RemoteUser login handler in that it supports force authentication.
This guide assumes you have a running IdP, and that it has already been configured to use CAS. You can do it by following this : https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration.
To instruct your resources to use force authentication, see NativeSPSessionInitiator.
The SSO-CAS Login Handler is compatible with any 2.X IdP, 3.X CAS client and 3.X CAS server.

Download and installation

Download

You can either directly download the .JAR archive from https://sourcesup.renater.fr/frs/download.php/4086/ssocas-login-handler-0.1.jar or get the source code using subversion :

svn export https://subversion.renater.fr/ssocashandler/trunk/ ssocas-login-handler
cd ssocas-login-handler
mvn package

This will create the latest ssocas-login-handler-x.x.jar in your ssocas-login-handler/target/ directory.

Installation

The first step is to add the JAR (downloaded or obtained through the source code) into the library of your IdP's installation directory :

cp ssocas-login-handler-0.1.jar $IDP_INSTALL_DIR/lib

You could then re-install the IdP, but it's no use doing it right now since the following configuration modifications will also require a re-installation.

Configuration

Web applications

You might be interested in maintaining your own web.xml configuration file in the IdP configuration directory. See Advanced Installation Topics there: IdPInstall

Modify the CAS client filters settings in $IDP_INSTALL_DIR/src/main/webapp/WEB-INF/web.xml (do not forget to modify the filter-mappings that were already defined):

    <!-- CAS Authentication Filter -->
	<filter> 
	 <filter-name>CAS Authentication Filter</filter-name>
	 <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> 
	 <init-param>
	  <param-name>casServerLoginUrl</param-name>
	  <param-value>https://example.cas.server/cas/login</param-value> 
	 </init-param>
	</filter> 
 
	<!-- CAS Validation Filter --> 
	<filter> 
	 <filter-name>CAS Validation Filter</filter-name> 
	 <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> 
	 <init-param> 
	  <param-name>casServerUrlPrefix</param-name> 
	  <param-value>https://example.cas.server/cas</param-value> 
	 </init-param> 
	</filter> 
 
	<!-- CAS Authentication Filter - forceAuthn  -->
	<filter> 
	 <filter-name>CAS Authentication Filter - forceAuthn</filter-name> 
	 <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> 
	 <init-param> 
	  <param-name>casServerLoginUrl</param-name> 
	  <param-value>https://example.cas.server/cas/login</param-value> 
	 </init-param> 
	 <init-param> 
	  <param-name>renew</param-name> 
	  <param-value>true</param-value> 
	 </init-param>
	</filter> 
 
	<!-- CAS Validation Filter - forceAuthn -->
	<filter> 
	 <filter-name>CAS Validation Filter - forceAuthn</filter-name> 
	 <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> 
	 <init-param> 
	  <param-name>casServerUrlPrefix</param-name> 
	  <param-value>https://example.cas.server/cas</param-value> 
	 </init-param> 
	 <init-param> 
	  <param-name>renew</param-name> 
	  <param-value>true</param-value> 
	 </init-param>
	</filter> 
 
 
	<!-- CAS HttpServletRequest Wrapper Filter --> 
	<filter> 
	 <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> 
	 <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> 
	</filter> 
 
	<!-- CAS Assertion Thread Local Filter --> 
	<filter> 
	 <filter-name>CAS Assertion Thread Local Filter</filter-name> 
	 <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class> 
	</filter> 
 
	<!-- CAS Filters Mappings -->

    <filter-mapping> 
	 <filter-name>CAS Authentication Filter</filter-name> 
	 <url-pattern>/Authn/Cas/NoForceAuthn</url-pattern> 
	 <dispatcher>REQUEST</dispatcher>  
	 <dispatcher>FORWARD</dispatcher>  
	</filter-mapping> 
 
	<filter-mapping> 
	 <filter-name>CAS Validation Filter</filter-name> 
	 <url-pattern>/Authn/Cas/NoForceAuthn</url-pattern> 
	</filter-mapping> 
 
 
	<filter-mapping> 
	 <filter-name>CAS Authentication Filter - forceAuthn</filter-name> 
	 <url-pattern>/Authn/Cas/ForceAuthn</url-pattern>
	 <dispatcher>REQUEST</dispatcher>  
	 <dispatcher>FORWARD</dispatcher>  
	</filter-mapping> 
 
	<filter-mapping> 
	 <filter-name>CAS Validation Filter - forceAuthn</filter-name> 
	 <url-pattern>/Authn/Cas/ForceAuthn</url-pattern>
	</filter-mapping> 
 
 
	<filter-mapping> 
	 <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>  
	 <url-pattern>/Authn/Cas/*</url-pattern> 
	</filter-mapping> 
	<filter-mapping> 
	 <filter-name>CAS Assertion Thread Local Filter</filter-name>
	 <url-pattern>/Authn/Cas/*</url-pattern> 
	</filter-mapping>

Modify the remote user servlet mapping (still in this web.xml):

<servlet-mapping>
    <servlet-name>RemoteUserAuthHandler</servlet-name>
    <url-pattern>/Authn/Cas/*</url-pattern>
</servlet-mapping>

Handlers

Define the CentralAuthnService login handler in $IDP_CONFIG_DIR/handler.xml :

Define the following namespace and schema in ProfileHandlerGroup :

<ph:ProfileHandlerGroup xmlns:ph="urn:mace:shibboleth:2.0:idp:profile-handler"
			xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
			xmlns:sclh="fr:renater:ssocashandler"
			xsi:schemaLocation="urn:mace:shibboleth:2.0:idp:profile-handler classpath:/schema/shibboleth-2.0-idp-profile-handler.xsd
  								fr:renater:ssocashandler classpath:/schema/ssocasloginhandler.xsd">

Define the handler itself:

<ph:LoginHandler xsi:type="sclh:CentralAuthnService" casFiltersPath="/Authn/Cas">
    <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
</ph:LoginHandler>

You should also comment or delete the RemoteUser login handler definition, since the IdP will not use it anymore.

Logs

Optionally ,if you want your new login handler to log, you have to add the following lines in $IDP_CONFIG_DIR/logging.xml (setting level to ERROR or DEBUG):

<!-- Logs from SSO-CAS Login Handler -->
<logger name="fr.renater.ssocashandler" level="DEBUG"/>

You will get the logs produced by the handler in the usual idp-process.log.

Deployment

You can now re-install the IdP :

cd $IDP_INSTALL_DIR
./install.sh

and restart your container to end the installation of the login handler.