Versions Compared

Old Version 9

changes.mady.by.user Jérôme LELEU

Saved on

compared with

New Version Current

changes.mady.by.user Anthony O.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

Since CAS 4.0.0, the SAML support is no longer available in the CAS server itself but through  SAML 1.1 Ticket Validation Response and SAML2 Google Accounts Integration are optional components available through the cas-server-support-saml module.  While both features require the cas-server-support-saml module, they can be deployed independently.

If you want to enable SAML support in the CAS server, you need to apply some of the following steps :

  • step 1 is mandatory
  • step 2 is optional and necessary to support SAML validation from CAS client perspective
  • step 3 is optional and necessary to support SAML 1.1 authentication requests
  • step 4 is optional and necessary to delegate Google SAML 2.0 authentication to your CAS server.

 

...

To enable either feature the cas-server-support-saml module dependency must be added to your CAS Server Maven Overlay pom.xml file:

Code Block
languagehtml/xml
<dependency>
  <groupId>org.jasig.cas</groupId>
  <artifactId>cas-server-support-saml</artifactId>
  <version>4.0.0</version>
</dependency>

 

Step 2 : enable SAML validation (/samlValidate url)

...

SAML 1.1 Ticket Validate Response Configuration
In addition to the cas-server-support-saml module dependency the following 4 steps are required to enabled the SAML 1.1 Ticket Validation Response.  These steps are not required for SAML2 Google Account Integration.
Step 1 : Define samlValidateController bean and map it to /samlValidate URL via handlerMappingC bean in cas-servlet.xml
...
:
 Code Block
languagehtml/xml
<bean id
...
=
...
"
...
samlValidateController
...
languagehtml/xml
...
"
...
 class="org.jasig.cas.web.ServiceValidateController"
  p:validationSpecificationClass="org.jasig.cas.validation.Cas20WithoutProxyingValidationSpecification"
  p:centralAuthenticationService-ref="centralAuthenticationService"
  p:proxyHandler-ref="proxy20Handler"
  p:argumentExtractor-ref="samlArgumentExtractor"
  p:successView="casSamlServiceSuccessView"
  p:failureView="casSamlServiceFailureView"/>
...
 Code Block
languagehtml/xml
<bean id="handlerMappingC" class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
  <property name="mappings">
    <props>
      ...
      <prop key="/samlValidate">samlValidateController</prop>
      ...
Step 2: Add the servlet mapping for /samlValidate URL in the web.xml file:
 Code Block
languagehtml/xml
<servlet-mapping>
  <servlet-name>cas</servlet-name>
  <url-pattern>/samlValidate</url-pattern>
</servlet-mapping>
 
Step 3: 
...
Add the appropriate SAML arguments extractor in the argumentExtractorsConfiguration.xml 
...
file:
 Code Block
languagehtml/xml
<bean id="samlArgumentExtractor" class="org.jasig.cas.support.saml.web.support.SamlArgumentExtractor
...
"
...
 />
...
 Code Block
languagehtml/xml
<util:list id="argumentExtractors">
  <ref bean="casArgumentExtractor" />
  <ref bean="samlArgumentExtractor" />
</util:list>
Step 4: Add the SAML 
...
ID generator in the uniqueIdGenerators.xml file :
 Code Block
languagehtml/xml
<bean id="samlServiceTicketUniqueIdGenerator" class="org.jasig.cas.support.saml.util.SamlCompliantUniqueTicketIdGenerator">
  <constructor-arg index="0" value="https://localhost:8443" />
</bean>
and reference it in the uniqueIdGeneratorsMap :
 Code Block
languagehtml/xml
<util:map id="uniqueIdGeneratorsMap">
  <entry
    key="org.jasig.cas.authentication.principal.SimpleWebApplicationServiceImpl"
    value-ref="serviceTicketUniqueIdGenerator" />
  <entry
    key="org.jasig.cas.support.openid.authentication.principal.OpenIdService"
    value-ref="serviceTicketUniqueIdGenerator" />
  <entry
    key="org.jasig.cas.support.saml.authentication.principal.SamlService"
    value-ref="samlServiceTicketUniqueIdGenerator" />
</util:map>
Step 5: 
Step 4 : enable Google SAML 2.0 support
Add the SAML views in the cas-servlet.xml file :
 Code Block
languagehtml/xml
<bean id="viewResolver" class="org.springframework.web.servlet.view.ResourceBundleViewResolver" p:order="0">
  <property name="basenames">
    <list>
      <value>${cas.viewResolver.basename}</value>
      <value>protocol_views</value>
      <value>saml_views</value>
    </list>
  </property>
</bean>
SAML2 Google Accounts Integration
In addition to the cas-server-support-saml module dependency the following 2 steps are required to enable SAML2 Google Account Integration.  These steps are not required for SAML 1.1 Ticket Validation Response.  
Step1: Add the appropriate SAML arguments extractor in the argumentExtractorsConfiguration.xml file :
 Code Block
languagehtml/xml
<bean id="googleAccountsArgumentExtractor" class="org.jasig.cas.support.saml.web.support.GoogleAccountsArgumentExtractor"
      p:privateKey-ref="privateKeyFactoryBean"
      p:publicKey-ref="publicKeyFactoryBean"
      p:httpClient-ref="httpClient" />
Add it to the list of arguments extractors :
 Code Block
languagehtml/xml
<util:list id="argumentExtractors">
  <ref bean="casArgumentExtractor" />
  <ref bean="googleAccountsArgumentExtractor" />
</util:list>
Step 2: Add a new generator to the uniqueIdGeneratorsMap bean in the uniqueIdGenerators.xml file :
 Code Block
languagehtml/xml
<util:map id="uniqueIdGeneratorsMap">
  <entry
    key="org.jasig.cas.authentication.principal.SimpleWebApplicationServiceImpl"
    value-ref="serviceTicketUniqueIdGenerator" />
  <entry
    key="org.jasig.cas.support.openid.authentication.principal.OpenIdService"
    value-ref="serviceTicketUniqueIdGenerator" />
  <entry
    key="org.jasig.cas.support.saml.authentication.principal.GoogleAccountsService"
    value-ref="serviceTicketUniqueIdGenerator" />
</util:map>