search

crhume / pwm

Automatically exported from code.google.com/p/pwm
0 stars 0 forks source link

Enhancement: PWM CAS SSO integration #54

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
PWM CAS SSO integration could be done using CAS ClearPass extension:
https://wiki.jasig.org/display/CASUM/ClearPass
which can provide CAS authenticated user's password to PWM.

1) Install CAS with ClearPass extension
2) Deploy PWM using attached AuthenticationFilterCAS which extends 
AuthenticationFilter overriding processUnAuthenticatedSession
3) Modify PWM web.xml:
- add CAS filters definition
https://wiki.jasig.org/display/CASC/Configuring+the+JA-SIG+CAS+Client+for+Java+i
n+the+web.xml
- replace AuthenticationFilter class with password.pwm.AuthenticationFilterCAS
- specify ClearPass url in AuthenticationFilter init-param
- add CAS filters mappings before AuthenticationFilter mappings
4) Add CAS Java client library to lib directory
http://downloads.jasig.org/cas-clients/
5) Make sure to specify PWM proxycallback url in allowedProxyChains of 
ClearPass this tells ClearPass to trust PWM for proxy authentication

Original issue reported on code.google.com by alessand...@gmail.com on 31 Mar 2011 at 5:18

Attachments:

GoogleCodeExporter commented 9 years ago 
Updated AuthenticationFilterCAS to make it work after exception refactoring

Original comment by alessand...@gmail.com on 3 May 2011 at 1:10

Attachments:

GoogleCodeExporter commented 9 years ago 
What are the license terms for the CAS libraries?  Where can they be found?  
Need to know if they can be distributed with PWM.

Original comment by jrivard on 21 May 2011 at 10:37

GoogleCodeExporter commented 9 years ago 
They use a BSD like license, binary can be redistributed, you just need to add 
their license in your distribution
http://www.jasig.org/cas/license

Original comment by alessand...@gmail.com on 22 May 2011 at 10:00

GoogleCodeExporter commented 9 years ago 
Checked into svn revision 179 (finally).  Needs testing.  Configuration option 
for ClearPass URL is on Misc configuration page.

Original comment by jrivard on 21 Jun 2011 at 4:42

GoogleCodeExporter commented 9 years ago 
I will test as soon as possible.
You can remove some jars, the only jar needed is cas-client-core-3.2.0.jar
Thank you very much

Original comment by alessand...@gmail.com on 21 Jun 2011 at 6:26

GoogleCodeExporter commented 9 years ago 
I've added CAS filters to web.xml as in attached example.
CAS authentication works:
2011-06-23 11:29:16, DEBUG, pwm.AuthenticationFilter, {e,Canovi Alessandro} 
login via CAS successful [172.16.21.3]
but after login a blank page is displayed instead of requested page (for 
example ChangePassword), after refresh page is correctly displayed and user is 
allowed to change password.

Original comment by alessand...@gmail.com on 23 Jun 2011 at 10:33

GoogleCodeExporter commented 9 years ago 
You shouldn't need to change the web.xml at all...   The authentication filter 
is doing the work.  What do you see in the trace file?  (Please set stdout log 
level to trace)

Original comment by jrivard on 23 Jun 2011 at 11:32

GoogleCodeExporter commented 9 years ago 
I've tried adding this:

chain.doFilter(req, resp);

after authUserUsingCASClearPass(req,clearPassUrl) and seems to work correctly 
now.

try {
            final String clearPassUrl = pwmSession.getConfig().readSettingAsString(PwmSetting.CAS_CLEAR_PASSS_URL);
            if (clearPassUrl != null && clearPassUrl.length() > 0) {
                LOGGER.trace(pwmSession, "checking for authentication via CAS");
                if (CASAuthenticationHelper.authUserUsingCASClearPass(req,clearPassUrl)) {
                    LOGGER.debug(pwmSession, "login via CAS successful");
                    chain.doFilter(req, resp);
                    return;
                }
            }
        } catch (ChaiUnavailableException e) {
            pwmSession.getContextManager().getStatisticsManager().incrementValue(Statistic.LDAP_UNAVAILABLE_COUNT);
            pwmSession.getContextManager().setLastLdapFailure(new ErrorInformation(PwmError.ERROR_DIRECTORY_UNAVAILABLE,e.getMessage()));
            ssBean.setSessionError(PwmError.ERROR_DIRECTORY_UNAVAILABLE.toInfo());
            ServletHelper.forwardToErrorPage(req, resp, req.getSession().getServletContext());
            return;
        } catch (PwmException e) {
            ssBean.setSessionError(e.getErrorInformation());
            ServletHelper.forwardToErrorPage(req, resp, req.getSession().getServletContext());
            return;
        }

Original comment by alessand...@gmail.com on 1 Jul 2011 at 7:44

GoogleCodeExporter commented 9 years ago 
Doh!   I was close for not having a test environment :)  Can you verify it's 
working in v1.5.4?

Original comment by jrivard on 5 Jul 2011 at 11:26

GoogleCodeExporter commented 9 years ago 
[deleted comment]
GoogleCodeExporter commented 9 years ago 
CAS integration works in v.1.5.4
web.xml CAS filters needed, see attached example

Original comment by alessand...@gmail.com on 6 Jul 2011 at 3:19

Attachments:

GoogleCodeExporter commented 9 years ago 
Added (commented) web.xml sample to PWM's web.xml as of v1.5.5.  Closing this 
issue.

Original comment by jrivard on 7 Jul 2011 at 11:24

GoogleCodeExporter commented 9 years ago

Original comment by jrivard on 7 Jul 2011 at 11:25