CAS 5 SAML2 Delegated AuthN Tutorial


Collaborate
The blog is managed and hosted on GitHub. If you wish to update the contents of this post or if you have found an inaccuracy and wish to make corrections, we recommend that you please submit a pull request to this repository.

This is a short and sweet tutorial on how to configure CAS to delegate authentication to an external SAML2 identity provider. Most of the material is based on the available documentation.

This tutorial specifically focuses on:

Deploy CAS

Hop over to the overlay installation and get CAS built and deployed. The CAS version I am using today is 5.1.0-RC3-SNAPSHOT. It does not matter whether you end up using Maven or Gradle. Choose what fits you best. When you have a baseline functioning build, continue on.

Configure CAS

Add the required module specified here in the documentation to your build. Next, we need to teach CAS about the external SAML2 Identity Provider. The configuration displayed below simply wants to have CAS act as a sevice provider with its own unique entity id, keystore, etc. CAS itself will generate the relevant service-provider credentials, keystores and metadata and will then examine the identity provider metadata document to learn about endpoints, etc. So you only really have to provide the values and let the software handle the rest.

cas.authn.pac4j.saml[0].keystorePassword=pac4j-demo-passwd
cas.authn.pac4j.saml[0].privateKeyPassword=pac4j-demo-passwd
cas.authn.pac4j.saml[0].serviceProviderEntityId=urn:mace:saml:pac4j.org
cas.authn.pac4j.saml[0].serviceProviderMetadataPath=/etc/cas/config/sp-metadata.xml
cas.authn.pac4j.saml[0].keystorePath=/etc/cas/config/samlKeystore.jks
cas.authn.pac4j.saml[0].identityProviderMetadataPath=https://dev-12345.oktapreview.com/app/486ngfgf/sso/saml/metadata

Note that the above settings are indexed, which means that if you needed to, you could delegate authentication to more than one identity provider. Also remember that metadata, keystores and such are only created if they are absent from the specified locations. You can certainly hand-massage them if needed, and CAS will let them be as they are without complaints.

Configure Okta

Follow the documentation described here to create a developer account and add a new application as a SAML2 IdP. At a minimum, you need to provide Okta with the SSO (ACS) url and entity id of the service provider, that being CAS in this case. You do have the entity id above and the ACS url takes on the following form:

https://sso.example.org/cas/login?client_name=SAML2Client

The configuration would look something like the following image:

image

Finally you need to assign people/users to the SAML2 Identity Provider application to allow for authentication:

image

Okta is then able to provide you with a metadata for this instance, which you can then use to plug back into the above settings.

That’s It

When you deploy CAS, your default logs (though you could certainly turn on DEBUG to observe a lot more) would indicate something along the following lines:

2017-03-22 13:33:59,147 INFO [o.a.c.s.p.c.s.a.Pac4jAuthenticationEventExecutionPlanConfiguration] - <Located and prepared [1] delegated authentication clients>
2017-03-22 13:33:59,182 INFO [o.a.c.s.p.c.s.a.Pac4jAuthenticationEventExecutionPlanConfiguration] - <Registering delegated authentication clients...>

…and when you get to the login page, you will see the following:

image

The same strategy simply applies to all other forms of delegated authentication, such as social identity providers or other CAS servers.

Misagh Moayyed

Related Posts

CAS 5.3.0 RC4 Feature Release

...in which I present an overview of CAS 5.3.0 RC4 release.

Apereo CAS - Identity Impersonation

You do not always have to be you. Allow the Apereo CAS server to allow you to pretend to be another person for fun and profit.

Apereo CAS - Customized Settings

Extend the Apereo CAS server to allow custom configuration properties and settings.

Apereo CAS - Handling Multiple Logout URLs

Extend the Apereo CAS server to allow for multiple logout URLs during SLO operations.

Apereo CAS - Access Strategy External URL Redirects

A quick use case walkthrough where the authentication flow in CAS is to be redirected to a customized external URL if service access is denied.

Apereo CAS - Linking Accounts with Delegated Authentication

A quick use case walkthrough where profiles provided by external identity providers to CAS need to be looked up by an identifier in internal databases before CAS can successfully establish an authenticated subject.

Nominate awesome fits for the Apereo board

Provoking thoughts about who might serve well on Apereo board.

Apereo CAS - Test-Driving Feature Modules

An overview of how various CAS features modules today can be changed and tested from the perspective of a CAS contributor working on the codebase itself to handle a feature request, bug fix, etc.

Feedback on draft Apereo strategy

Focus on revenue to achieve sustainability. Defer everything else.

Apereo CAS Best [Mal]Practice - Supercharged Overlays

An overview of how a CAS overlay prepped for deployment can tap into internal components, altering logic and behavior for good and evil...but mostly evil.