The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

  • The SSO-CAS Login Handler allows ti delegate authentication to a CAS server. It is different from the RemoteUser login handler in that it supports force authentication.
  • This guide assumes you have a running IdP, and that it has already been configured to use CAS. You can do it by following this : https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration.
  • To instruct your resources to use force authentication, see NativeSPSessionInitiator.

 

Download and installation

Download

 

You can either directly download the .JAR archive from https://sourcesup.renater.fr/frs/download.php/4086/ssocas-login-handler-0.1.jar or get the source code using subversion :

svn export https://subversion.renater.fr/ssocashandler/trunk/ ssocas-login-handler
cd ssocas-login-handler
mvn package

Installation

The first step is to add the JAR (downloaded or obtained through the source code) into the library of your IdP's installation directory :

cp ssocas-login-handler-0.1.jar $IDP_INSTALL_DIR/lib

You will then have to re-install the IdP, but it's no use doing it right now since the following configuration modifications will also require a re-installation.

Configuration

Web applications

 

Modify the CAS client filters settings in $IDP_INSTALL_DIR/src/main/webapp/WEB-INF/web.xml (do not forget to modify the filter-mappings that were already defined):

	<!-- CAS Authentication Filter -->
	<filter> 
	 <filter-name>CAS Authentication Filter</filter-name> 
	 <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> 
	 <init-param> 
	  <param-name>casServerLoginUrl</param-name> 
	  <param-value>https://example.cas.server/cas/login</param-value> 
	 </init-param> 
	</filter> 
 
	<!-- CAS Validation Filter --> 
	<filter> 
	 <filter-name>CAS Validation Filter</filter-name> 
	 <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> 
	 <init-param> 
	  <param-name>casServerUrlPrefix</param-name> 
	  <param-value>https://services-federation.renater.fr/cas</param-value> 
	 </init-param> 
	</filter> 
 
	<!-- CAS Authentication Filter - forceAuthn  -->
	<filter> 
	 <filter-name>CAS Authentication Filter - forceAuthn</filter-name> 
	 <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> 
	 <init-param> 
	  <param-name>casServerLoginUrl</param-name> 
	  <param-value>https://example.cas.server/cas/login</param-value> 
	 </init-param> 
	 <init-param> 
	  <param-name>renew</param-name> 
	  <param-value>true</param-value> 
	 </init-param>
	</filter> 
 
	<!-- CAS Validation Filter - forceAuthn -->
	<filter> 
	 <filter-name>CAS Validation Filter - forceAuthn</filter-name> 
	 <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> 
	 <init-param> 
	  <param-name>casServerUrlPrefix</param-name> 
	  <param-value>https://services-federation.renater.fr/cas</param-value> 
	 </init-param> 
	 <init-param> 
	  <param-name>renew</param-name> 
	  <param-value>true</param-value> 
	 </init-param>
	</filter> 
 
 
	<!-- CAS HttpServletRequest Wrapper Filter --> 
	<filter> 
	 <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> 
	 <filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class> 
	</filter> 
 
	<!-- CAS Assertion Thread Local Filter --> 
	<filter> 
	 <filter-name>CAS Assertion Thread Local Filter</filter-name> 
	 <filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class> 
	</filter> 
 
	<!-- CAS Filter for Shibb RemoteUser --> 
	<filter-mapping> 
	 <filter-name>CAS Authentication Filter</filter-name> 
	 <url-pattern>/Authn/Cas/NoforceAuthn</url-pattern> 
	 <dispatcher>REQUEST</dispatcher>  
	 <dispatcher>FORWARD</dispatcher>  
	</filter-mapping> 
 
	<filter-mapping> 
	 <filter-name>CAS Validation Filter</filter-name> 
	 <url-pattern>/Authn/Cas/NoForceAuthn</url-pattern> 
	</filter-mapping> 
 
 
	<filter-mapping> 
	 <filter-name>CAS Authentication Filter - forceAuthn</filter-name> 
	 <url-pattern>/Authn/Cas/ForceAuthn</url-pattern>
	 <dispatcher>REQUEST</dispatcher>  
	 <dispatcher>FORWARD</dispatcher>  
	</filter-mapping> 
 
	<filter-mapping> 
	 <filter-name>CAS Validation Filter - forceAuthn</filter-name> 
	 <url-pattern>/Authn/Cas/ForceAuthn</url-pattern>
	</filter-mapping> 
 
 
	<filter-mapping> 
	 <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>  
	 <url-pattern>/Authn/Cas/*</url-pattern> 
	</filter-mapping> 
	<filter-mapping> 
	 <filter-name>CAS Assertion Thread Local Filter</filter-name>
	 <url-pattern>/Authn/Cas/*</url-pattern> 
	</filter-mapping>

Modify the remote user servlet mapping (still in this web.xml) :

    <servlet-mapping>
        <servlet-name>RemoteUserAuthHandler</servlet-name>
        <url-pattern>/Authn/Cas/*</url-pattern>
    </servlet-mapping>

Handlers

Define the CentralAuthnService login handler in $IDP_CONFIG_DIR/handler.xml :

  • Define the following namespace and schema in ProfileHandlerGroup :

        <ph:ProfileHandlerGroup xmlns:ph="urn:mace:shibboleth:2.0:idp:profile-handler"
    			    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    			    xmlns:sclh="fr:renater:ssocashandler"
    			    xsi:schemaLocation="urn:mace:shibboleth:2.0:idp:profile-handler classpath:/schema/shibboleth-2.0-idp-profile-handler.xsd
      									fr:renater:ssocashandler classpath:/schema/ssocasloginhandler.xsd">
  • Define the handler itself:

        <ph:LoginHandler xsi:type="sclh:CentralAuthnService" casFiltersPath="/Authn/Cas">
            <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
        </ph:LoginHandler>


     You should also comment or delete the RemoteUser login handler definition, since the IdP will not use it anymore.

Deployment

You can now re-install the IdP :

cd $IDP_INSTALL_DIR
./install.sh

and restart your container to end the installation of the login handler.

  • No labels