We all know what CAS is .. you can read about it on the JASIG CAS pages.
Also was not sure if this belongs in the CAS Wiki or here.. I settled on here for now.
There are many ways to integrate CAS and Shibboleth. The IdPAuthRemoteUser and SSO-CAS Login Handler (s) are examples of integrations where the CAS server is providing the authentication layer to the Identity Provider.
Here we are concerned about doing basically the opposite. In our particular environment we did not want to flip the current SSO infrastructure to rely on authentication provided by CAS. Nor did we want to introduce yet another single sign-on UI to the end user. The outcome of these two decisions was to "shibbolize" the CAS server.
There are two things that make this work and enhance the ability to throw a Shib-SP in-front of the CAS server.
Normally you point CAS off to some directory service or user store such as LDAP or DB layer that handles the actual AuthN phase of the sign-on process. Rather than hooking into the DS at this authentication step, in this model we are taking advantage of CAS's Trusted Authentication Handler to make use of the web servers http authentication layer.
Using "Trusted Auth" gets us in a position to utilize a local previously established single sign-on infrastructure. This is achieved by setting up the CAS server and its accompanying Shib-SP as an Relying Party to our Shibboleth-IdP.
Install and configure the Shibboleth SP as normal. The CAS server will be using the value found in REMOTE_USER to correlate its internal ticketing mechanics so set the value of your primary identifier accordingly.
Normally CAS would like to access your DS or DB layer to retrieve attributes about the principal that it has just authenticated. In our model we don't want any connections to these outside services rather we want to make use of attributes coming from the Shib-SP in front of CAS.
To do this we modify the
deployerConfigContext.xml file in our war-overlay (see CAS wiki) process. We have to modify the
attributeRepository bean to rely on the
requestAttributeDao bean which will pull our attributes from the request scope.
Code snippet (modifications to
deployerConfigContext.xml) found here
Next you will need to add a filter to the CAS applications
web.xml file to make the header attributes present in the request scope. The following additions to
web.xml should enable the incoming shibboleth delivered attributes to be accessible to the CAS Attribute DAO.
<filter> <filter-name>requestAttributeSourceFilter</filter-name> <filter-name>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> ...then <filter-mapping> <filter-name>requestAttributeSourceFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
There is nothing specific to the Shibboleth Identity Provider for this setup. The "CAS Bridge" Relying Party operates just as any known RP does when interacting with the Identity Provider.
There is nothing specific to the local configuration of the Shibboleth Service Provider to make this work.
The only integration point to be mindful of is the mapping of your incoming attributes to ensure correct correct data translation within the CAS application.
To enable both CAS and the Shibboleth-SP to do their jobs with their respective calls, we have to fix up the
<Location> blocks in Apache a bit.
It is assumed that all calls to
/cas will be proxied to the tomcat instance.
<Location ~ "^/cas/login"> AuthType shibboleth ShibRequestSetting requireSession 1 ShibUseHeaders On Require valid-user </Location> <Location ~ "^/cas/serviceValidate"> AuthType shibboleth ShibRequestSetting requireSession 0 Require shibboleth </Location> <Location ~ "^/cas/samlValidate"> AuthType shibboleth ShibRequestSetting requireSession 0 Require shibboleth </Location> <Location ~ "^/cas/proxy"> AuthType shibboleth ShibRequestSetting requireSession 0 Require shibboleth </Location> <Location ~ "^/cas/proxyValidate"> AuthType shibboleth ShibRequestSetting requireSession 0 Require shibboleth </Location>
The idea here is to not rely on the CAS service to maintain the users sso state. We treat the CAS session strictly as a protocol level session and give it a short lifetime, while relying on the external SSO service to deal with our true SSO session lifetime.
We have further reprogrammed the calls to the
/cas/logout location to redirect the user into the Shibboleth-SP logout flow.