Outline
| Excerpt |
|---|
CAS can be integrated with the Shibboleth federated SSO platform by a couple different strategies. |
...
Add the following XML blocks to the web.xml file for the IDP war deployable. Replace Ant placeholder properties with values appropriate to your environment.
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | CAS Context Parameters | xml |
|---|
|
<!-- For CAS client support -->
<context-param>
<param-name>serverName</param-name>
<param-value>${idp.hostname}</param-value>
</context-param>
|
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | CAS Filtersxml |
|---|
|
<!-- CAS client filters -->
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>
org.jasig.cas.client.authentication.AuthenticationFilter
</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>${cas.server.url}login</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/Authn/RemoteUser</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter
</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>${cas.server.url}</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/Authn/RemoteUser</url-pattern>
</filter-mapping>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>
org.jasig.cas.client.util.HttpServletRequestWrapperFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/Authn/RemoteUser</url-pattern>
</filter-mapping>
|
The following is defined by default in the IDP web.xml, but it is included here for completeness since it is required for CAS integration.
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| title | Define Shib RemoteUser Servlet | xml |
|---|
|
<!-- Servlet protected by container user for RemoteUser authentication -->
<servlet>
<servlet-name>RemoteUserAuthHandler</servlet-name>
<servlet-class>edu.internet2.middleware.shibboleth.idp.authn.provider.RemoteUserAuthServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>RemoteUserAuthHandler</servlet-name>
<url-pattern>/Authn/RemoteUser</url-pattern>
</servlet-mapping>
|
...
- AuthenticationMethod for SAML1
- AuthenticationContext for SAML2
| Code Block |
|---|
| XML |
|---|
| XML |
|---|
| title | SAML2 Response Excerpt for InCommon SilverXML |
|---|
|
<saml2:AuthnStatement
AuthnInstant="2011-09-22T19:28:28.216Z"
SessionIndex="17ba42593e110357eb7b40cf548bd4556b238c8115fa2c8f08f65c945f9cf12f">
<saml2:SubjectLocality Address="10.0.0.1"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>
http://id.incommon.org/assurance/silver
</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
|
...
The core integration between CAS and Shib happens with a custom servlet filter, AssertionAttributeAuthenticationMethodFilter, that performs a single function: extract the eduPersonAssurance attribute from the CAS assertion and set the authnMethod request attribute for downstream IdP components.
| Code Block |
|---|
| XML |
|---|
| XML |
|---|
| title | IdP web.xml Modifications for Custom Shib-CAS Filter | XML |
|---|
|
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>
org.jasig.cas.client.validation.Saml11TicketValidationFilter
</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>${cas.server.url}</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<!--
Adjust to accommodate clock drift between client/server.
Increasing tolerance has security consequences,
so it is preferable to correct the source of clock
drift instead.
-->
<param-name>tolerance</param-name>
<param-value>5000</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/Authn/RemoteUser</url-pattern>
</filter-mapping>
<filter>
<filter-name>AssertionAttributeAuthenticationMethodFilter</filter-name>
<filter-class>
edu.vt.middleware.shib.cas.AssertionAttributeAuthenticationMethodFilter
</filter-class>
<init-param>
<param-name>authMethodAttribute</param-name>
<param-value>eduPersonAssurance</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>AssertionAttributeAuthenticationMethodFilter</filter-name>
<url-pattern>/Authn/RemoteUser</url-pattern>
</filter-mapping>
|
...
The Shibboleth authentication handler configuration needed to be changed to send users to CAS if InCommon silver or bronze are requested by the SP.
| Code Block |
|---|
| XML |
|---|
| XML |
|---|
| title | Configure handler.xml to Accept Silver and Bronze Authentication MethodsXML |
|---|
|
<LoginHandler xsi:type="RemoteUser">
<AuthenticationMethod>
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
</AuthenticationMethod>
<AuthenticationMethod>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</AuthenticationMethod>
<AuthenticationMethod>
http://id.incommon.org/assurance/bronze
</AuthenticationMethod>
<AuthenticationMethod>
http://id.incommon.org/assurance/silver
</AuthenticationMethod>
</LoginHandler> |
Shibboleth IDP External Authentication via CAS plugin
This is a Shibboleth IDP external authentication plugin that delegates the authentication to the Central Authentication Server. The biggest advantage of using this component over the plain REMOTE_USER header solution provided by Shibboleth is the ability to utilize a full range of native CAS protocol features such as renew and gateway.