Versions Compared

Old Version 9

changes.mady.by.user Jérôme LELEU

Saved on

compared with

New Version 10

changes.mady.by.user William G. Thompson, Jr.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Since CAS 4.0.0, the SAML support is no longer available in the CAS server itself but through 1.1 Ticket Validation Response and the SAML2 Google Accounts Integration are optional components available through the cas-server-support-saml module.  While both features require the cas-server-support-saml module, they can be deployed independently.

If you want to enable SAML support in the CAS server, you need to apply some of the following steps :

  • step 1 is mandatory
  • step 2 is optional and necessary to support SAML validation from CAS client perspective
  • step 3 is optional and necessary to support SAML 1.1 authentication requests
  • step 4 is optional and necessary to delegate Google SAML 2.0 authentication to your CAS server.

 

...

To enable either feature the cas-server-support-saml module dependency must be added to your CAS Server Maven Overlay pom.xml file:

Code Block
languagehtml/xml
<dependency>
  <groupId>org.jasig.cas</groupId>
  <artifactId>cas-server-support-saml</artifactId>
  <version>4.0.0</version>
</dependency>

...

SAML 1.1 Ticket Validate Response Configuration

Step

...

1 : Define samlValidateController bean and map it to /samlValidate URL via handlerMappingC bean in cas-servlet.xml

...

:

Code Block
languagehtml/xml
<bean id="

...

with the samlValidateController bean :

...

languagehtml/xml

...

samlValidateController" class="org.jasig.cas.web.ServiceValidateController"
  p:validationSpecificationClass="org.jasig.cas.validation.Cas20WithoutProxyingValidationSpecification"
  p:centralAuthenticationService-ref="centralAuthenticationService"
  p:proxyHandler-ref="proxy20Handler"
  p:argumentExtractor-ref="samlArgumentExtractor"
  p:successView="casSamlServiceSuccessView"
  p:failureView="casSamlServiceFailureView"/>

...

 Code Block
languagehtml/xml
<bean id="handlerMappingC" class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
  <property name="mappings">
    <props>
      ...
      <prop key="/samlValidate">samlValidateController</prop>
      ...
Step 2: Add the servlet mapping for /samlValidate URL in the web.xml file:
 Code Block
languagehtml/xml
<servlet-mapping>
  <servlet-name>cas</servlet-name>
  <url-pattern>/samlValidate</url-pattern>
</servlet-mapping>
...
Step 3 : enable SAML 1.1 support
  1. Add the appropriate SAML arguments extractor in the argumentExtractorsConfiguration.xml file :
     Code Block
    languagehtml/xml
    <bean id="samlArgumentExtractor" class="org.jasig.cas.support.saml.web.support.SamlArgumentExtractor"
  p:httpClient-ref="noRedirectHttpClient"
  p:disableSingleSignOut="${slo.callbacks.disabled:false}" />
  2. Add it to the list of arguments extractors :
     Code Block
    languagehtml/xml
    <util:list id="argumentExtractors">
  <ref bean="casArgumentExtractor" />
  <ref bean="samlArgumentExtractor" />
</util:list>
  3. Add the SAML id generator in the uniqueIdGenerators.xml file :
     Code Block
    languagehtml/xml
    <bean id="samlServiceTicketUniqueIdGenerator" class="org.jasig.cas.support.saml.util.SamlCompliantUniqueTicketIdGenerator">
  <constructor-arg index="0" value="https://localhost:8443" />
</bean>
  4. and reference it in the uniqueIdGeneratorsMap :
     Code Block
    languagehtml/xml
    <util:map id="uniqueIdGeneratorsMap">
  <entry
    key="org.jasig.cas.authentication.principal.SimpleWebApplicationServiceImpl"
    value-ref="serviceTicketUniqueIdGenerator" />
  <entry
    key="org.jasig.cas.support.openid.authentication.principal.OpenIdService"
    value-ref="serviceTicketUniqueIdGenerator" />
  <entry
    key="org.jasig.cas.support.saml.authentication.principal.SamlService"
    value-ref="samlServiceTicketUniqueIdGenerator" />
</util:map>
...