This article describes how to use MS-AD as the account store for authenticating with CAS to Google Apps, and how to use the "mail" attribute of the AD account object as the Google Apps user id.
Eg. a user logs into AD as "jdoe" or "jdoe@ad.yourschool.edu", but said user has the email address "john.doe@yourschool.edu" (hosted at GMail), and this is set in the AD object "mail" attribute.
Prerequisites:
- functioning CAS 3.3 setup, with localization via the Maven overlay method, CASUM/Maintaining+local+customizations+using+Maven+2
- MS-AD authentication is function, CASUM/Active+Directory
- You can get LDAP attributes from AD into the CAS Princical (ie. the CAS user object )
You will need to map the AD "mail" attribute to the CAS princical "EmailAddress" attribute, eg. in the mapping section of the above article, use
HTML clipboardCASUM/Attributes<map> <entry key="mail" value="EmailAddress" /> </map>
In your Maven customization folder, here called cas-web-local/, create the following directory structure (if it doesn't already exist.)
mkdir -p HTML clipboardsrc/main/java/org/jasig/cas/authentication/principal/
Copy the Google apps account service bean into this directory, from the cas-server-core directory. From the top of your cas build directory:
cp HTML clipboardcas-server-core/src/main/java/org/jasig/cas/authentication/principal/GoogleAccountsService.java cas-server-local/src/main/java/org/jasig/cas/authentication/principal/
Now apply the following patch or diffs to this java bean file in your customization:
--- cas-server-core/src/main/java/org/jasig/cas/authentication/principal/GoogleAccountsService.java 2009-03-18 08:27:22.000000000 -0700
+++ cas-server-local/src/main/java/org/jasig/cas/authentication/principal/GoogleAccountsService.java 2009-03-18 08:25:53.000000000 -0700
@@ -25,6 +25,9 @@
import java.util.zip.Inflater;
import java.util.zip.InflaterInputStream;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
/**
* Implementation of a Service that supports Google Accounts (eventually a more
* generic SAML2 support will come).
@@ -160,8 +163,36 @@
c.setTime(new Date());
c.add(Calendar.YEAR, 1);
- samlResponse = samlResponse.replace("<USERNAME_STRING>", getPrincipal()
- .getId());
+ /**
+ * samlResponse = samlResponse.replace("<USERNAME_STRING>", getPrincipal()
+ * .getId());
+ */
+ /**
+ * Modify Google return to pass in EmailAddress attribute, if exists.
+ *
+ */
+ String username = getPrincipal().getId();
+ Map<String, Object> attributes = getPrincipal().getAttributes();
+
+ /** Log instance for logging events, info, warnings, errors, etc. */
+ final Log log = LogFactory.getLog(this.getClass());
+
+ if (log.isInfoEnabled()) {
+ log.info("User [" + getPrincipal().getId() + "] has " + attributes.size() + " principal attributes");
+ }
+
+ /**
+ * try to find the attribute mapped in the CredentialsToLDAPAttributePrincipalResolver
+ * configuration in deployerConfigContext.xml
+ */
+ if(attributes.containsKey("EmailAddress")) {
+ username = (String)attributes.get("EmailAddress");
+ if (log.isInfoEnabled()) {
+ log.info("User [" + getPrincipal().getId() + "]: using EmailID [" + username + "]");
+ }
+ }
+ samlResponse = samlResponse.replace("<USERNAME_STRING>",username);
+
samlResponse = samlResponse.replace("<RESPONSE_ID>", createID());
samlResponse = samlResponse.replace("<ISSUE_INSTANT>", SamlUtils
.getCurrentDateAndTime());
Rebuild your overlay with maven:cd cas-server-local
mvn install package
If all looks good, deplay the target/cas.war file, and test!
There will be some INFO level messages in the tomcat log file, typically <tomcat>/logs/cataline.out to show you what is happening.
Finally, if all looks well, configure your Google Apps domain to use your CAS setup for authentication. See here