Versions Compared

Old Version 5

changes.mady.by.user Jérôme LELEU

Saved on

compared with

New Version Current

changes.mady.by.user Anthony O.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

Since CAS 4.0.0, the SAML support is no longer available in the CAS server itself but  SAML 1.1 Ticket Validation Response and SAML2 Google Accounts Integration are optional components available through the cas-server-support-saml module.

If you want to enable SAML support in the CAS server, you need to apply the following steps.

 

...

 While both features require the cas-server-support-saml module, they can be deployed independently.

To enable either feature the cas-server-support-saml module dependency must be added to your CAS Server Maven Overlay pom.xml file:

Code Block
languagehtml/xml
<dependency>
  <groupId>org.jasig.cas</groupId>
  <artifactId>cas-server-support-saml</artifactId>
  <version>4.0.0</version>
</dependency>

 

2) Enable SAML validation (/samlValidate url)

...

Add the appropriate mapping in the handlerMappingC bean in the cas-servlet.xml file :

Code Block
languagehtml/xml
<bean id="handlerMappingC" class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
  <property name="mappings">
    <props>
      ...
      <prop key="/samlValidate">samlValidateController</prop>
      ...

...

SAML 1.1 Ticket Validate Response Configuration

In addition to the cas-server-support-saml module dependency the following 4 steps are required to enabled the SAML 1.1 Ticket Validation Response.  These steps are not required for SAML2 Google Account Integration.

Step 1 : Define samlValidateController bean and map it to /samlValidate URL via handlerMappingC bean in cas-servlet.xml:

Code Block
languagehtml/xml
<bean id="samlValidateController" class="org.jasig.cas.web.ServiceValidateController"
  p:validationSpecificationClass="org.jasig.cas.validation.Cas20WithoutProxyingValidationSpecification"
  p:centralAuthenticationService-ref="centralAuthenticationService"
  p:proxyHandler-ref="proxy20Handler"
  p:argumentExtractor-ref="samlArgumentExtractor"
  p:successView="casSamlServiceSuccessView"
  p:failureView="casSamlServiceFailureView"/>
Code Block
languagehtml/xml
<bean id="handlerMappingC" class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">

...


  <property name="mappings">
    <props>
      ...
      <prop key="/samlValidate">samlValidateController</prop>
      ...

Step 2: Add the servlet mapping for /samlValidate URL in the web.xml file:

Code Block
languagehtml/xml
<servlet-mapping>
  <servlet-name>cas</servlet-name>
  <url-pattern>/samlValidate</url-pattern>
</servlet-mapping>

 

3) Enable SAML 1.1 support

...

Step 3: Add the appropriate SAML arguments extractor in the argumentExtractorsConfiguration.xml

...

file:

Code Block
languagehtml/xml
<bean id="samlArgumentExtractor" class="org.jasig.cas.support.saml.web.support.SamlArgumentExtractor"

...

...

/>

Add it to the list of arguments extractors :

Code Block
languagehtml/xml
<util:list id="argumentExtractors">
  <ref bean="casArgumentExtractor" />
  <ref bean="samlArgumentExtractor" />
</util:list>

Step 4: Add the SAML

...

ID generator in the uniqueIdGenerators.xml file :

Code Block
languagehtml/xml
<bean id="samlServiceTicketUniqueIdGenerator" class="org.jasig.cas.support.saml.util.SamlCompliantUniqueTicketIdGenerator">
  <constructor-arg index="0" value="https://localhost:8443" />
</bean>

and reference it in the uniqueIdGeneratorsMap :

Code Block
languagehtml/xml
<util:map id="uniqueIdGeneratorsMap">
  <entry
    key="org.jasig.cas.authentication.principal.SimpleWebApplicationServiceImpl"
    value-ref="serviceTicketUniqueIdGenerator" />
  <entry
    key="org.jasig.cas.support.openid.authentication.principal.OpenIdService"
    value-ref="serviceTicketUniqueIdGenerator" />
  <entry
    key="org.jasig.cas.support.saml.authentication.principal.SamlService"
    value-ref="samlServiceTicketUniqueIdGenerator" />
</util:map>

Step 5: Add the SAML views in the cas-servlet.xml file :

Code Block
languagehtml/xml
<bean id="viewResolver" class="org.springframework.web.servlet.view.ResourceBundleViewResolver" p:order="0">
  <property name="basenames">
    <list>
      <value>${cas.viewResolver.basename}</value>
      <value>protocol_views</value>
      <value>saml_views</value>
    </list>
  </property>
</bean>

SAML2 Google Accounts Integration

In addition to the cas-server-support-saml module dependency the following 2 steps are required to enable SAML2 Google Account Integration.  These steps are not required for SAML 1.1 Ticket Validation Response.  

Step1: Add the appropriate SAML arguments extractor in the argumentExtractorsConfiguration.xml file :

Code Block
languagehtml/xml
<bean id="googleAccountsArgumentExtractor" class="org.jasig.cas.support.saml.web.support.GoogleAccountsArgumentExtractor"
      p:privateKey-ref="privateKeyFactoryBean"
      p:publicKey-ref="publicKeyFactoryBean"
      p:httpClient-ref="httpClient" />
Code Block
languagehtml/xml
<util:list id="argumentExtractors">
  <ref bean="casArgumentExtractor" />
  <ref bean="googleAccountsArgumentExtractor" />
</util:list>

Step 2: Add a new generator to the uniqueIdGeneratorsMap bean in the uniqueIdGenerators.xml file :

Code Block
languagehtml/xml
<util:map id="uniqueIdGeneratorsMap">
  <entry
    key="org.jasig.cas.authentication.principal.SimpleWebApplicationServiceImpl"
    value-ref="serviceTicketUniqueIdGenerator" />
  <entry
    key="org.jasig.cas.support.openid.authentication.principal.OpenIdService"
    value-ref="serviceTicketUniqueIdGenerator" />
  <entry
    key="org.jasig.cas.support.saml.authentication.principal.GoogleAccountsService"
    value-ref="serviceTicketUniqueIdGenerator" />
</util:map>