SAML Support in CAS 4

Owned by Jérôme LELEU
Last updated: Dec 18, 2013 by Anthony O.Version comment
2 min read

Since CAS 4, SAML 1.1 Ticket Validation Response and SAML2 Google Accounts Integration are optional components available through the cas-server-support-saml module.  While both features require the cas-server-support-saml module, they can be deployed independently.

To enable either feature the cas-server-support-saml module dependency must be added to your CAS Server Maven Overlay pom.xml file:

<dependency>
  <groupId>org.jasig.cas</groupId>
  <artifactId>cas-server-support-saml</artifactId>
  <version>4.0.0</version>
</dependency>

SAML 1.1 Ticket Validate Response Configuration

In addition to the cas-server-support-saml module dependency the following 4 steps are required to enabled the SAML 1.1 Ticket Validation Response.  These steps are not required for SAML2 Google Account Integration.

Step 1 : Define samlValidateController bean and map it to /samlValidate URL via handlerMappingC bean in cas-servlet.xml:

<bean id="samlValidateController" class="org.jasig.cas.web.ServiceValidateController"
  p:validationSpecificationClass="org.jasig.cas.validation.Cas20WithoutProxyingValidationSpecification"
  p:centralAuthenticationService-ref="centralAuthenticationService"
  p:proxyHandler-ref="proxy20Handler"
  p:argumentExtractor-ref="samlArgumentExtractor"
  p:successView="casSamlServiceSuccessView"
  p:failureView="casSamlServiceFailureView"/>
<bean id="handlerMappingC" class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
  <property name="mappings">
    <props>
      ...
      <prop key="/samlValidate">samlValidateController</prop>
      ...

Step 2: Add the servlet mapping for /samlValidate URL in the web.xml file:

<servlet-mapping>
  <servlet-name>cas</servlet-name>
  <url-pattern>/samlValidate</url-pattern>
</servlet-mapping>

Step 3: Add the appropriate SAML arguments extractor in the argumentExtractorsConfiguration.xml file:

<bean id="samlArgumentExtractor" class="org.jasig.cas.support.saml.web.support.SamlArgumentExtractor" />
<util:list id="argumentExtractors">
  <ref bean="casArgumentExtractor" />
  <ref bean="samlArgumentExtractor" />
</util:list>

Step 4: Add the SAML ID generator in the uniqueIdGenerators.xml file :

<bean id="samlServiceTicketUniqueIdGenerator" class="org.jasig.cas.support.saml.util.SamlCompliantUniqueTicketIdGenerator">
  <constructor-arg index="0" value="https://localhost:8443" />
</bean>
<util:map id="uniqueIdGeneratorsMap">
  <entry
    key="org.jasig.cas.authentication.principal.SimpleWebApplicationServiceImpl"
    value-ref="serviceTicketUniqueIdGenerator" />
  <entry
    key="org.jasig.cas.support.openid.authentication.principal.OpenIdService"
    value-ref="serviceTicketUniqueIdGenerator" />
  <entry
    key="org.jasig.cas.support.saml.authentication.principal.SamlService"
    value-ref="samlServiceTicketUniqueIdGenerator" />
</util:map>

Step 5: Add the SAML views in the cas-servlet.xml file :

<bean id="viewResolver" class="org.springframework.web.servlet.view.ResourceBundleViewResolver" p:order="0">
  <property name="basenames">
    <list>
      <value>${cas.viewResolver.basename}</value>
      <value>protocol_views</value>
      <value>saml_views</value>
    </list>
  </property>
</bean>

SAML2 Google Accounts Integration

In addition to the cas-server-support-saml module dependency the following 2 steps are required to enable SAML2 Google Account Integration.  These steps are not required for SAML 1.1 Ticket Validation Response.  

Step1: Add the appropriate SAML arguments extractor in the argumentExtractorsConfiguration.xml file :

<bean id="googleAccountsArgumentExtractor" class="org.jasig.cas.support.saml.web.support.GoogleAccountsArgumentExtractor"
      p:privateKey-ref="privateKeyFactoryBean"
      p:publicKey-ref="publicKeyFactoryBean"
      p:httpClient-ref="httpClient" />
<util:list id="argumentExtractors">
  <ref bean="casArgumentExtractor" />
  <ref bean="googleAccountsArgumentExtractor" />
</util:list>

Step 2: Add a new generator to the uniqueIdGeneratorsMap bean in the uniqueIdGenerators.xml file :

<util:map id="uniqueIdGeneratorsMap">
  <entry
    key="org.jasig.cas.authentication.principal.SimpleWebApplicationServiceImpl"
    value-ref="serviceTicketUniqueIdGenerator" />
  <entry
    key="org.jasig.cas.support.openid.authentication.principal.OpenIdService"
    value-ref="serviceTicketUniqueIdGenerator" />
  <entry
    key="org.jasig.cas.support.saml.authentication.principal.GoogleAccountsService"
    value-ref="serviceTicketUniqueIdGenerator" />
</util:map>