Versions Compared

Old Version 5

changes.mady.by.user Johan Reinalda

Saved on

compared with

New Version 6

changes.mady.by.user Johan Reinalda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

 This This article describes how to use MS-AD (or any LDAP directory) as the account store for authenticating with CAS to Google Apps, and how to use the "mail" attribute of the AD account object as the Google Apps user id. If the "mail" attribute is not set, the regular username will be used.

Eg. a user logs into AD as "jdoe" or "jdoe@ad.yourschool.edu", but said user has the email address "john.doe@yourschool.edu" (hosted at GMail), and this is set in the AD object "mail" attribute. (Note that you can use any LDAP attribute, as long as you map this LDAP attribute to the CAS Principal attribute called "EmailAddress"; see below.)

 Prerequisites:

  • functioning CAS 3.3 setup, with localization via the Maven overlay method, see Maintaining+local+customizations+using+Maven+2
  • MS-AD authentication is function, see Active+Directory
  • You can get LDAP attributes from AD (or any LDAP) into the CAS Princical (ie. the CAS user object )
    You will need to map the AD "mail" attribute (or any other LDAP attribute you wish to use) to the CAS princical "EmailAddress" attribute, eg. in the mapping section of the above Attributesarticle, use
    HTML clipboard :
    Code Block
    xml
    xml
    <map>
  <entry key="mail" value="EmailAddress" />
</map>
    See  Attributes for more.

In your Maven customization folder, here called cas-webserver-local/, create the following directory structure (if it doesn't already exist.)

No Format
mkdir -p HTML clipboardsrcsrc/main/java/org/jasig/cas/authentication/principal/

Copy the Google apps account service bean into this directory , from  from the cas-server-core directory. From the top of your cas build directory:

No Format
cp HTML clipboardcascas-server-core/src/main/java/org/jasig/cas/authentication/principal/GoogleAccountsService.java
cas-server-local/src/main/java/org/jasig/cas/authentication/principal/

Now apply the following patch or diffs to this java bean file in your customization folder (here: cas-server-local/src/main/java/org/jasig/cas/authentication/principal/GoogleAccountsService.java):

Code Block
xml
xml
--- cas-server-core/src/main/java/org/jasig/cas/authentication/principal/GoogleAccountsService.java     2009-03-18 08:27:22.000000000 -0700
+++ cas-server-local/src/main/java/org/jasig/cas/authentication/principal/GoogleAccountsService.java      2009-03-18 08:25:53.000000000 -0700
@@ -25,6 +25,9 @@
 import java.util.zip.Inflater;
 import java.util.zip.InflaterInputStream;

+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
 /**
  * Implementation of a Service that supports Google Accounts (eventually a more
  * generic SAML2 support will come).
@@ -160,8 +163,36 @@
         c.setTime(new Date());
         c.add(Calendar.YEAR, 1);

-        samlResponse = samlResponse.replace("<USERNAME_STRING>", getPrincipal()
-            .getId());
+       /**
+        * samlResponse = samlResponse.replace("<USERNAME_STRING>", getPrincipal()
+        *   .getId());
+        */
+        /**
+         * Modify Google return to pass in EmailAddress attribute, if exists.
+         *
+        */
+       String username = getPrincipal().getId();
+       Map<String, Object> attributes = getPrincipal().getAttributes();
+
+       /** Log instance for logging events, info, warnings, errors, etc. */
+       final Log log = LogFactory.getLog(this.getClass());
+
+        if (log.isInfoEnabled()) {
+            log.info("User [" + getPrincipal().getId() + "] has " + attributes.size() + " principal attributes");
+       }
+
+       /**
+        * try to find the attribute mapped in the CredentialsToLDAPAttributePrincipalResolver
+        * configuration in deployerConfigContext.xml
+        */
+       if(attributes.containsKey("EmailAddress")) {
+               username = (String)attributes.get("EmailAddress");
+               if (log.isInfoEnabled()) {
+                               log.info("User [" + getPrincipal().getId() + "]: using EmailID [" + username + "]");
+               }
+       }
+       samlResponse = samlResponse.replace("<USERNAME_STRING>",username);
+
         samlResponse = samlResponse.replace("<RESPONSE_ID>", createID());
         samlResponse = samlResponse.replace("<ISSUE_INSTANT>", SamlUtils
             .getCurrentDateAndTime());

Rebuild your overlay with maven:

No Format

cd cas-server-local

...

No Format
mvn install package

If all looks good, deplay deploy the target/cas.war file, and test!
There .

Finally, if all looks well, configure your Google Apps domain to use your CAS setup for authentication. See SAML+2.0+%28Google+Accounts+Integration%29
Every time Google Apps calls CAS, there will be some new INFO level messages in the tomcat log file, typically <tomcat>/logs/catalinecatalina.out to show you what is happening.
Finally, if all looks well, configure your Google Apps domain to use your CAS setup for authentication. See SAML+2.0+%28Google+Accounts+Integration%29. The first line shows you how many (if any) attributes are attached to the CAS principal. This will show you if your attribute mapping is working. The second line show what user id is actually sent to Google for the current CAS principal.

2009-03-26 14:57:25,744 INFO [org.jasig.cas.authentication.principal.GoogleAccountsService] - <User [jdoe] has 1 principal attributes>
2009-03-26 14:57:25,744 INFO [org.jasig.cas.authentication.principal.GoogleAccountsService] - <User [jdoe]: using EmailID [john.doe@yourschool.edu]>