Since CAS 4.0.0, the SAML support is no longer available in the CAS server itself but through the cas-server-support-saml module.
If you want to enable SAML support in the CAS server, you need to apply some of the following steps :
- step 1 is mandatory
- step 2 is optional and necessary to support SAML validation from CAS client perspective
- step 3 is optional and necessary to support SAML 1.1 authentication requests
- step 4 is optional and necessary to delegate Google SAML 2.0 authentication to your CAS server.
Step 1: add the Maven dependency to your CAS server pom.xml file :
<dependency> <groupId>org.jasig.cas</groupId> <artifactId>cas-server-support-saml</artifactId> <version>4.0.0</version> </dependency>
Step 2 : enable SAML validation (/samlValidate url)
Add the appropriate mapping in the handlerMappingC bean in the cas-servlet.xml file :
<bean id="handlerMappingC" class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping"> <property name="mappings"> <props> ... <prop key="/samlValidate">samlValidateController</prop> ...with the samlValidateController bean :
<bean id="samlValidateController" class="org.jasig.cas.web.ServiceValidateController" p:validationSpecificationClass="org.jasig.cas.validation.Cas20WithoutProxyingValidationSpecification" p:centralAuthenticationService-ref="centralAuthenticationService" p:proxyHandler-ref="proxy20Handler" p:argumentExtractor-ref="samlArgumentExtractor" p:successView="casSamlServiceSuccessView" p:failureView="casSamlServiceFailureView"/>
add the servlet mapping in the web.xml file :
<servlet-mapping> <servlet-name>cas</servlet-name> <url-pattern>/samlValidate</url-pattern> </servlet-mapping>
Step 3 : enable SAML 1.1 support
Add the appropriate SAML arguments extractor in the argumentExtractorsConfiguration.xml file :
<bean id="samlArgumentExtractor" class="org.jasig.cas.support.saml.web.support.SamlArgumentExtractor" p:httpClient-ref="noRedirectHttpClient" p:disableSingleSignOut="${slo.callbacks.disabled:false}" />Add it to the list of arguments extractors :
<util:list id="argumentExtractors"> <ref bean="casArgumentExtractor" /> <ref bean="samlArgumentExtractor" /> </util:list>
Add the SAML id generator in the uniqueIdGenerators.xml file :
<bean id="samlServiceTicketUniqueIdGenerator" class="org.jasig.cas.support.saml.util.SamlCompliantUniqueTicketIdGenerator"> <constructor-arg index="0" value="https://localhost:8443" /> </bean>
and reference it in the uniqueIdGeneratorsMap :
<util:map id="uniqueIdGeneratorsMap"> <entry key="org.jasig.cas.authentication.principal.SimpleWebApplicationServiceImpl" value-ref="serviceTicketUniqueIdGenerator" /> <entry key="org.jasig.cas.support.openid.authentication.principal.OpenIdService" value-ref="serviceTicketUniqueIdGenerator" /> <entry key="org.jasig.cas.support.saml.authentication.principal.SamlService" value-ref="samlServiceTicketUniqueIdGenerator" /> </util:map>
Step 4 : enable Google SAML 2.0 support
Add the appropriate SAML arguments extractor in the argumentExtractorsConfiguration.xml file :
<bean id="googleAccountsArgumentExtractor" class="org.jasig.cas.support.saml.web.support.GoogleAccountsArgumentExtractor" p:privateKey-ref="privateKeyFactoryBean" p:publicKey-ref="publicKeyFactoryBean" p:httpClient-ref="httpClient" />Add it to the list of arguments extractors :
<util:list id="argumentExtractors"> <ref bean="casArgumentExtractor" /> <ref bean="googleAccountsArgumentExtractor" /> </util:list>
Add a new generator to the uniqueIdGeneratorsMap bean in the uniqueIdGenerators.xml file :
<util:map id="uniqueIdGeneratorsMap"> <entry key="org.jasig.cas.authentication.principal.SimpleWebApplicationServiceImpl" value-ref="serviceTicketUniqueIdGenerator" /> <entry key="org.jasig.cas.support.openid.authentication.principal.OpenIdService" value-ref="serviceTicketUniqueIdGenerator" /> <entry key="org.jasig.cas.support.saml.authentication.principal.GoogleAccountsService" value-ref="serviceTicketUniqueIdGenerator" /> </util:map>