OpenID is an open, decentralized, free framework for user-centric digital identity. Users represent themselves using URIs. For more information see the http://www.openid.net. As of CAS 3.1, CAS supports the "dumb" mode of the OpenID protocol. Dumb mode acts in a similar fashion to the existing CAS protocol.
Giving your users URIs
Configuring your users to have URIs.
You'll need to set up a local mechanism for generating URIs for your users based on their username (i.e. http://openid.rutgers.edu/battags).
The endpoint pages look something like this:
<html> <head> <link rel="openid.server" href="https://localhost/cas/login" /> </head> </html>
Enabling OpenID in CAS
Note: We're assuming you are using the Default AuthenticationManager.
Modifying the deployerConfigContext.xml
Open your deployerConfigContext.xml and add the following entries:
Add a new AuthenticationHandler to your AuthenticationManager
<bean class="org.jasig.cas.support.openid.authentication.handler.support.OpenIdCredentialsAuthenticationHandler" p:ticketRegistry-ref="ticketRegistry" />
Add a new CredentialsToPrincipalResolver to your AuthenticationManager
<bean class="org.jasig.cas.support.openid.authentication.principal.OpenIdCredentialsAuthenticationHandler" />
Modifying the cas-servlet.xml
Add the Url Mapping Handler
Add the following entry to your cas-servlet.xml (it can go anywhere):
<bean id="handlerMappingA" class="org.jasig.cas.support.openid.web.support.OpenIdPostUrlHandlerMapping"> <property name="mappings"> <props> <prop key="/login">openIdValidateController</prop> </props> </property> </bean>
This will direct validation requests to the correct controller.
OpenId Validation Controller
Add the following to enable validation of an OpenID request:
<bean id="openIdValidateController" class="org.jasig.cas.web.ServiceValidateController" p:validationSpecificationClass="org.jasig.cas.validation.Cas20WithoutProxyingValidationSpecification" p:centralAuthenticationService-ref="centralAuthenticationService" p:proxyHandler-ref="proxy20Handler" p:argumentExtractor-ref="openIdArgumentExtractor" p:successView="casOpenIdServiceSuccessView" p:failureView="casOpenIdServiceFailureView" />
ArgumentExtractor
Next, we need to add the ArgumentExtractor that can actually detect the OpenID request:
<bean id="openIdArgumentExtractor" class="org.jasig.cas.support.openid.web.support.OpenIdArgumentExtractor" />
Then, locate the <util:list> entry in the cas-servlet.xml and add a:
<ref bean="openIdArgumentExtractor" />
It should look something like this (it will vary depending on what is enabled):
<util:list id="argumentExtractors"> <ref bean="casArgumentExtractor" /> <ref bean="samlArgumentExtractor" /> <ref bean="openIdArgumentExtractor" /> </util:list>
Add the Action for the Web Flow
Finally, in the cas-servlet.xml you'll need to add the action that we will reference in the login flow xml file:
<bean id="openIdSingleSignOnAction" class="org.jasig.cas.support.openid.web.flow.OpenIdSingleSignOnAction"
p:centralAuthenticationService-ref="centralAuthenticationService" />
Be Careful
The OpenIdSingleSignOnAction has an additional parameter not configured here. Its the "extractor" property which accepts a "org.jasig.cas.support.openid.web.support.OpenIdUserNameExtractor". The default one merely accepts the value after the last "/". A more robust implementation should check the entire URL. Note, that means the default one SHOULD NOT be used in production.
login-webflow.xml
Add the following action to your login-webflow.xml
<action-state id="openIdSingleSignOnAction">
<action bean="openIdSingleSignOnAction" />
<transition on="success" to="sendTicketGrantingTicket" />
<transition on="error" to="ticketGrantingTicketExistsCheck" />
<transition on="warn" to="warn" />
</action-state>
You'll want to modify your InitialFlowAction's "success" event to go to "openIdSingleSignOnAction"