Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Warning
titleNew CAS documentation site

CAS documentation has moved over to apereo.github.io/cas, starting with CAS version 4.x. The wiki will no longer be maintained. For the most recent version of the documentation, please refer to the aforementioned link.

Warning

Since CAS 4.0.0, the SAML support is no longer available in the CAS server itself but through the cas-server-support-saml module : SAML Support in CAS 4

 

Google Apps for Education (or any of the Google Apps) utilizes SAML 2.0 to provide an integration point for external authentication services. CAS 3.1 includes an "ArgumentExtractor" and accompanying "Service" to provide process and understand SAML 2.0 requests from Google.

Warning
titleWarning

Though Google Accounts integration is enabled through the use of SAML 2.0 AuthenticationRequests and Assertions, we cannot confirm that this will work with any SAML 2.0 compliant application. It has only been tested with Google Accounts

Warning
titleCAS 3.4.2 Users

Note, that there's a bug in the redirect portion of the login-webflow.xml in CAS 3.4.2 and earlier. It's due to the migration to Spring Web Flow 2. The issue is fixed in CAS 3.4.2 and later. It will affect your ability to redirect to the Google Apps. The correct syntax is available in this issue: https://issues.jasig.org/browse/CAS-868

The integration with Google Accounts is based off the excellent documentation provided by Google:

Step 1 - Generate DSA/RSA Keys

...

The keys will also need to be available to the CAS application (but not publicly available over the Internet). We recommend you place the keys within your classpath (i.e. WEB-INF/classes) though any location accessible by the user running the web server instance is acceptable:

...

and not served publicly to the Internet is acceptable.  Thus, inside WEB-INF is nice because WEB-INF is scoped to the web application but not normally served.  Inside the webapp but not in WEB-INF is fraught with peril.  Somewhere like /etc/cas/keys/ is a fine idea as well and protects the key from being overwritten on deploy of a new CAS webapp version.

No Format
openssl genrsa -out private.key 1024
openssl rsa -pubout -in private.key -out public.key -inform PEM -outform DER
openssl pkcs8 -topk8 -inform PER -outform DER -nocrypt -in private.key -out private.p8
openssl req -new -x509 -key private.key -out x509.pem -days 365

...

You'll need to modify the WEB-INF/spring-configuration/argumentExtractorsConfiguration.xml, and add the following:
(note: the section  p:httpClient-ref="httpClient"   is only for 3.4 and up, and should be removed for 3.3.x)

No Format

<bean         nameid="googleAccountsArgumentExtractor" 	class="org.jasig.cas.web.support.GoogleAccountsArgumentExtractor"
 	     p:privateKey-ref="privateKeyFactoryBean"
	
      p:publicKey-ref="publicKeyFactoryBean"
      p:httpClient-ref="httpClient" />

Reference that from the list of ArgumentExtractors, so it would look something like this:

No Format

<util:list id="argumentExtractors">
	<ref bean="casArgumentExtractor" />
	<ref bean="samlArgumentExtractor" />
	<ref bean="googleAccountsArgumentExtractor" />
</util:list>

You'll need to configure the keys so they can be loaded from the files. You do that as follows:

No Format

<bean 	id="privateKeyFactoryBean" 	class="org.jasig.cas.util.PrivateKeyFactoryBean"
      	p:location="classpath:private.p8"
	
      p:algorithm="RSA" />

<bean 	id="publicKeyFactoryBean"
	class="org.jasig.cas.util.PublicKeyFactoryBean"
 	     p:location="classpath:public.key"
	
      p:algorithm="RSA" />

Replace the public.key and private.key with the names of your key files. If they are not available on the classpath, change the location to point to the location of the keys. If you are using RSA DSA instead of DSARSA, change the algorithm as appropriate.

Step 3 - Configure Google

The final step is to configure Google. You'll need to provide Google with the URL for your SAML-based SSO service, as well as the URL your users will be redirected to when they log out of a hosted Google application.

Use the following URLs when you are configuring for Google Apps

Sign-in page URL: https://yourCasServer/login
Sign-out page URL: https://yourCasServer/logout
Change password URL: http://whateverServerYouWouldLike

If you wish to use a Google email username that is different from your CAS userid, please read Google Apps from MS-AD using the 'mail' attribute. While this uses MS-AD, it applies to any LDAP directory.

Step 4 - Add a new service in CAS

Name : Google Apps

Service URL : https://www.google.com/a/YourGoogleDomain/acs