OpenID is an open, decentralized, free framework for user-centric digital identity. Users represent themselves using URIs. For more information see the http://www.openid.net. As of CAS 3.5, CAS supports both the "dumb" and "smart" modes of the OpenID protocol. Dumb mode acts in a similar fashion to the existing CAS protocol. The smart mode differs in that it establishes an association between the client and the openId provider (OP) at the begining. Thanks to that association and the key exchange done during association, information exchanged between the client and the provider are signed and verified using this key. There is no need for the final request (which is equivalent in CAS protocol to the ticket validation).
A demo of the OpenId support in CAS server is available at : https://github.com/leleuj/cas-openid-demo.
Giving your users URIs
Configuring your users to have URIs.
OpenId identifiers are URIs. The default mechanism in CAS support is an uri ending with the actual user login (ie. http://my.cas.server/openid/fesnault where the actual user login is fesnault). This is not recommended and you should think of a more elaborated way of providing URIs to your users.
Add OpenId support module to CAS server
The first thing, with a CAS server webapp, is to add the OpenId support module dependency. This is done by adding this in the cas server webapp pom.xml.
| Code Block | ||
|---|---|---|
| ||
<dependency>
<groupId>org.jasig.cas</groupId>
<artifactId>cas-server-support-openid</artifactId>
<version>${project.version}</version>
</dependency> |
| Warning | ||
|---|---|---|
| ||
You must change the server prefix property of the cas server to an https url. Otherwise SSO will not work. Find the cas.properties file and edit the server.prefix url to something like this : https://localhost:443/cas. |
Now let's dive into CAS configuration itself.
Declare the OpenID endpoint (ONLY since CAS 4.0)
Since CAS 4.0, the OpenID endpoint for discovery is no more enabled by default in the CAS server (in fact, it is no more available in the cas-server-support-webapp module : it has been moved to the cas-server-support-openid module).
The OpenID discovery endpoint should be enabled during the configuration process. In the web.xml file, the following mapping must be added :
| Code Block | ||||
|---|---|---|---|---|
| ||||
<servlet-mapping>
<servlet-name>cas</servlet-name>
<url-pattern>/openid/*</url-pattern>
</servlet-mapping> |
In the cas-servlet.xml file, the following mapping and bean must be added :
| Code Block | ||||
|---|---|---|---|---|
| ||||
| Warning | ||||
| ||||
CAS documentation has moved over to apereo.github.io/cas, starting with CAS version 4.x. The wiki will no longer be maintained. For the most recent version of the documentation, please refer to the aforementioned link. |
| Tip |
|---|
Since CAS version 4.0, in addition to this server support, a new OpenID client support is available in the CAS server through the cas-server-support-pac4j module. It means that the CAS authentication can be delegated to www.myopenid.com. |
OpenID is an open, decentralized, free framework for user-centric digital identity. Users represent themselves using URIs. For more information see the http://www.openid.net. As of CAS 3.5, CAS supports both the "dumb" and "smart" modes of the OpenID protocol. Dumb mode acts in a similar fashion to the existing CAS protocol. The smart mode differs in that it establishes an association between the client and the openId provider (OP) at the begining. Thanks to that association and the key exchange done during association, information exchanged between the client and the provider are signed and verified using this key. There is no need for the final request (which is equivalent in CAS protocol to the ticket validation).
A demo of the OpenId support in CAS server is available at : https://github.com/leleuj/cas-openid-demo.
Giving your users URIs
Configuring your users to have URIs.
OpenId identifiers are URIs. The default mechanism in CAS support is an uri ending with the actual user login (ie. http://my.cas.server/openid/fesnault where the actual user login is fesnault). This is not recommended and you should think of a more elaborated way of providing URIs to your users.
Add OpenId support module to CAS server
The first thing, with a CAS server webapp, is to add the OpenId support module dependency. This is done by adding this in the cas server webapp pom.xml.
| Code Block | ||
|---|---|---|
| ||
<dependency>
<groupId>org.jasig.cas</groupId>
<artifactId>cas-server-support-openid</artifactId>
<version>${project.version}</version>
</dependency> |
| Warning | ||
|---|---|---|
| ||
You must change the server prefix property of the cas server to an https url. Otherwise SSO will not work. Find the cas.properties file and edit the server.prefix url to something like this : https://localhost:443/cas. |
Now let's dive into CAS configuration itself.
Declare the OpenID endpoint (since CAS 4.0)
Since CAS 4.0, the OpenID endpoint for discovery is no more enabled by default in the CAS server (in fact, it is no more available in the cas-server-support-webapp module : it has been moved to the cas-server-support-openid module).
The OpenID discovery endpoint should be enabled during the configuration process. In the web.xml file, the following mapping must be added :
| Code Block | ||||
|---|---|---|---|---|
| ||||
<servlet-mapping>
<servlet-name>cas</servlet-name>
<url-pattern>/openid/*</url-pattern>
</servlet-mapping> |
In the cas-servlet.xml file, the following mapping and bean must be added :
| Code Block | ||||
|---|---|---|---|---|
| ||||
<bean id="handlerMappingC" class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
<property name="mappings">
<props>
<prop key="/logout">logoutController</prop>
...
<prop key="/openid/*">openIdProviderController</prop>
...
<bean
id="openIdProviderController"
class="org.jasig.cas.support.openid.web.OpenIdProviderController"
p:loginUrl="${server.prefix}/login"/> |
Add the OpenID entry in the unique id generator map (since CAS 4.0)
Since CAS 4.0, the OpenID entry in the unique id generator map is no more defined by default in the CAS server.
The OpenID entry should be added to the uniqueIdGenerators.xml file :
| Code Block | ||||
|---|---|---|---|---|
| ||||
<util:map id="uniqueIdGeneratorsMap"> ... <entry <bean id="openIdProviderController" class="key="org.jasig.cas.support.openid.webauthentication.principal.OpenIdProviderControllerOpenIdService" p:loginUrl="${server.prefix}/login"/> |
...
value-ref="serviceTicketUniqueIdGenerator" />
</util:map> |
Update webflow
CAS uses a spring webflow to describe the the authentication process. We need to change it a little bit to allow CAS to switch to OpenId authentication if it recognizes one. This is done in the login-webflow.xml fie. After the on-start element just add these two blocks :
...