ClearPass: Credential Caching and Replay

To enable single sign-on into some legacy applications it may be necessary to provide them with the actual password. While such approach inevitably increases security risk, at times this may be a necessary evil in order to integrate applications with CAS.

Usage Warning!

ClearPass is turned off by default. No applications will be able to obtain the user credentials unless ClearPass is explicitly turned on by the below configuration. Think VERY CAREFULLY before turning on this feature, as it MUST be the last resort in getting an integration to work...maybe not even then.

Overview

CAS is able to issue the credential password directly in the CAS validation response. This previously was handled via a proxy authentication sequence and obtaining a proxy-granting ticket for the ClearPass service and was necessary in order to establish trust between the client application and the CAS server. This document describes the configuration that can be applied in order to receive the credential password as an attribute in the CAS validation response.

In order to successfully establish trust between the CAS server and the application, private/public key pairs are generated by the client application and then the public key distributed and configured inside CAS. CAS will use the public key to encrypt the credential password and will issue a new attribute <credential> in the validation response, only if the service is authorized to receive it.

Note that the return of the credential is only carried out by the CAS validation response, provided the client application issues a request to the /p3/serviceValidate endpoint (or /p3/proxyValidate). Other means of returning attributes to CAS, such as SAML1 will not support the additional returning of this value.

Also note that CAS by default attempts to encrypt the cached credential in memory via its own pre-generated keys for signing and encryption. When the attribute is to be released to the application, CAS will internally decode the credential first and then will attempt to encrypt it again this time using the service’s public key credentials.

ClearPass via Proxying!

CAS no longer supports retrieving the credential via the proxying mechanism. Applications that intend to obtain the credential need to be updated to account for the following approach described here.

Cache Credential

Enable the caching and capturing of the credential in CAS properties.

The following settings and properties are available from the CAS configuration catalog:

_{The configuration settings listed below are tagged as Required in the CAS configuration metadata. This flag indicates that the presence of the setting may be needed to activate or affect the behavior of the CAS feature and generally should be reviewed, possibly owned and adjusted. If the setting is assigned a default value, you do not need to strictly put the setting in your copy of the configuration, but should review it nonetheless to make sure it matches your deployment expectations.}

cas.clearpass.cache-credential=false

Enable clearpass and allow CAS to cache credentials.

org.apereo.cas.configuration.model.support.clearpass.ClearpassProperties.

_{How can I configure this property?}

Configuration properties can be included and activated using the following strategies.

:information_source: Note

When possible, properties should be stored in lower-case kebab format, such as cas.property-name=value. The only possible exception to this rule is when naming actuator endpoints; The name of the actuator endpoints (i.e. ssoSessions) MUST remain in camelCase mode.

CAS properties can be specified using the Java configuration property syntax in any and all .properties files:

cas.clearpass.cache-credential=...

This is the most common form of property configuration that is recognized by CAS, regardless of the actual property source, which might in fact be managed separately outside the CAS environment, by another system or cloud framework.

CAS properties can be specified using the YAML syntax:

cas: 
  clearpass: 
    cache-credential: "..."

Note that YAML is very specific about structure and indentation. Be sure to verify the correctness of the final result with your YAML validator of choice.

CAS properties can be passed to the CAS web application as system properties, when the application is launched:

java -Dcas.clearpass.cache-credential="..." -jar build/libs/cas.war

The above example assumes that the CAS web application is packaged as cas.war with an embedded server container and can be found in the build/libs directory. Note the placement of the system property which must be specified before the CAS web application is launched.

CAS properties can specified as system environment variables before the CAS web application is launched:

export CAS_CLEARPASS_CACHE_CREDENTIAL="..."

java -jar build/libs/cas.war

The above example assumes that the CAS web application is packaged as cas.war with an embedded server container and can be found in the build/libs directory.

CAS properties can be passed to the CAS web application as command-line arguments, when the application is launched:

java -jar build/libs/cas.war --cas.clearpass.cache-credential="..."

The above example assumes that the CAS web application is packaged as cas.war with an embedded server container and can be found in the build/libs directory.

cas.clearpass.crypto.encryption.key=

The encryption key is a JWT whose length is defined by the encryption key size setting.

org.apereo.cas.configuration.model.core.util.EncryptionJwtCryptoProperties.

_{How can I configure this property?}

Configuration properties can be included and activated using the following strategies.

:information_source: Note

CAS properties can be specified using the Java configuration property syntax in any and all .properties files:

cas.clearpass.crypto.encryption.key=...

CAS properties can be specified using the YAML syntax:

cas: 
  clearpass: 
    crypto: 
      encryption: 
        key: "..."

Note that YAML is very specific about structure and indentation. Be sure to verify the correctness of the final result with your YAML validator of choice.

CAS properties can be passed to the CAS web application as system properties, when the application is launched:

java -Dcas.clearpass.crypto.encryption.key="..." -jar build/libs/cas.war

CAS properties can specified as system environment variables before the CAS web application is launched:

export CAS_CLEARPASS_CRYPTO_ENCRYPTION_KEY="..."

java -jar build/libs/cas.war

The above example assumes that the CAS web application is packaged as cas.war with an embedded server container and can be found in the build/libs directory.

CAS properties can be passed to the CAS web application as command-line arguments, when the application is launched:

java -jar build/libs/cas.war --cas.clearpass.crypto.encryption.key="..."

The above example assumes that the CAS web application is packaged as cas.war with an embedded server container and can be found in the build/libs directory.

cas.clearpass.crypto.signing.key=

The signing key is a JWT whose length is defined by the signing key size setting.

org.apereo.cas.configuration.model.core.util.SigningJwtCryptoProperties.

_{How can I configure this property?}

Configuration properties can be included and activated using the following strategies.

:information_source: Note

CAS properties can be specified using the Java configuration property syntax in any and all .properties files:

cas.clearpass.crypto.signing.key=...

CAS properties can be specified using the YAML syntax:

cas: 
  clearpass: 
    crypto: 
      signing: 
        key: "..."

Note that YAML is very specific about structure and indentation. Be sure to verify the correctness of the final result with your YAML validator of choice.

CAS properties can be passed to the CAS web application as system properties, when the application is launched:

java -Dcas.clearpass.crypto.signing.key="..." -jar build/libs/cas.war

CAS properties can specified as system environment variables before the CAS web application is launched:

export CAS_CLEARPASS_CRYPTO_SIGNING_KEY="..."

java -jar build/libs/cas.war

The above example assumes that the CAS web application is packaged as cas.war with an embedded server container and can be found in the build/libs directory.

CAS properties can be passed to the CAS web application as command-line arguments, when the application is launched:

java -jar build/libs/cas.war --cas.clearpass.crypto.signing.key="..."

The above example assumes that the CAS web application is packaged as cas.war with an embedded server container and can be found in the build/libs directory.

_{The configuration settings listed below are tagged as Optional in the CAS configuration metadata. This
flag indicates that the presence of the setting
is not immediately necessary in the end-user CAS configuration, because a default value is assigned or
the activation of the feature is not conditionally controlled by the setting value. You should only include this field in your
configuration if you need to modify the default value.}

cas.clearpass.crypto.alg=

The signing/encryption algorithm to use.

org.apereo.cas.configuration.model.core.util.EncryptionJwtSigningJwtCryptographyProperties.

_{How can I configure this property?}

Configuration properties can be included and activated using the following strategies.

:information_source: Note

CAS properties can be specified using the Java configuration property syntax in any and all .properties files:

cas.clearpass.crypto.alg=...

CAS properties can be specified using the YAML syntax:

cas: 
  clearpass: 
    crypto: 
      alg: "..."

Note that YAML is very specific about structure and indentation. Be sure to verify the correctness of the final result with your YAML validator of choice.

CAS properties can be passed to the CAS web application as system properties, when the application is launched:

java -Dcas.clearpass.crypto.alg="..." -jar build/libs/cas.war

CAS properties can specified as system environment variables before the CAS web application is launched:

export CAS_CLEARPASS_CRYPTO_ALG="..."

java -jar build/libs/cas.war

The above example assumes that the CAS web application is packaged as cas.war with an embedded server container and can be found in the build/libs directory.

CAS properties can be passed to the CAS web application as command-line arguments, when the application is launched:

java -jar build/libs/cas.war --cas.clearpass.crypto.alg="..."

The above example assumes that the CAS web application is packaged as cas.war with an embedded server container and can be found in the build/libs directory.

cas.clearpass.crypto.enabled=true

Whether crypto operations are enabled.

org.apereo.cas.configuration.model.core.util.EncryptionJwtSigningJwtCryptographyProperties.

_{How can I configure this property?}

Configuration properties can be included and activated using the following strategies.

:information_source: Note

CAS properties can be specified using the Java configuration property syntax in any and all .properties files:

cas.clearpass.crypto.enabled=true

CAS properties can be specified using the YAML syntax:

cas: 
  clearpass: 
    crypto: 
      enabled: "true"

Note that YAML is very specific about structure and indentation. Be sure to verify the correctness of the final result with your YAML validator of choice.

CAS properties can be passed to the CAS web application as system properties, when the application is launched:

java -Dcas.clearpass.crypto.enabled="true" -jar build/libs/cas.war

CAS properties can specified as system environment variables before the CAS web application is launched:

export CAS_CLEARPASS_CRYPTO_ENABLED="true"

java -jar build/libs/cas.war

The above example assumes that the CAS web application is packaged as cas.war with an embedded server container and can be found in the build/libs directory.

CAS properties can be passed to the CAS web application as command-line arguments, when the application is launched:

java -jar build/libs/cas.war --cas.clearpass.crypto.enabled="true"

The above example assumes that the CAS web application is packaged as cas.war with an embedded server container and can be found in the build/libs directory.

cas.clearpass.crypto.encryption.key-size=512

The encryption key size.

org.apereo.cas.configuration.model.core.util.EncryptionJwtCryptoProperties.

_{How can I configure this property?}

Configuration properties can be included and activated using the following strategies.

:information_source: Note

CAS properties can be specified using the Java configuration property syntax in any and all .properties files:

cas.clearpass.crypto.encryption.key-size=512

CAS properties can be specified using the YAML syntax:

cas: 
  clearpass: 
    crypto: 
      encryption: 
        key-size: "512"

Note that YAML is very specific about structure and indentation. Be sure to verify the correctness of the final result with your YAML validator of choice.

CAS properties can be passed to the CAS web application as system properties, when the application is launched:

java -Dcas.clearpass.crypto.encryption.key-size="512" -jar build/libs/cas.war

CAS properties can specified as system environment variables before the CAS web application is launched:

export CAS_CLEARPASS_CRYPTO_ENCRYPTION_KEY_SIZE="512"

java -jar build/libs/cas.war

The above example assumes that the CAS web application is packaged as cas.war with an embedded server container and can be found in the build/libs directory.

CAS properties can be passed to the CAS web application as command-line arguments, when the application is launched:

java -jar build/libs/cas.war --cas.clearpass.crypto.encryption.key-size="512"

The above example assumes that the CAS web application is packaged as cas.war with an embedded server container and can be found in the build/libs directory.

cas.clearpass.crypto.signing.key-size=512

The signing key size.

org.apereo.cas.configuration.model.core.util.SigningJwtCryptoProperties.

_{How can I configure this property?}

Configuration properties can be included and activated using the following strategies.

:information_source: Note

CAS properties can be specified using the Java configuration property syntax in any and all .properties files:

cas.clearpass.crypto.signing.key-size=512

CAS properties can be specified using the YAML syntax:

cas: 
  clearpass: 
    crypto: 
      signing: 
        key-size: "512"

Note that YAML is very specific about structure and indentation. Be sure to verify the correctness of the final result with your YAML validator of choice.

CAS properties can be passed to the CAS web application as system properties, when the application is launched:

java -Dcas.clearpass.crypto.signing.key-size="512" -jar build/libs/cas.war

CAS properties can specified as system environment variables before the CAS web application is launched:

export CAS_CLEARPASS_CRYPTO_SIGNING_KEY_SIZE="512"

java -jar build/libs/cas.war

The above example assumes that the CAS web application is packaged as cas.war with an embedded server container and can be found in the build/libs directory.

CAS properties can be passed to the CAS web application as command-line arguments, when the application is launched:

java -jar build/libs/cas.war --cas.clearpass.crypto.signing.key-size="512"

The above example assumes that the CAS web application is packaged as cas.war with an embedded server container and can be found in the build/libs directory.

cas.clearpass.crypto.strategy-type=ENCRYPT_AND_SIGN

Control the cipher sequence of operations. The accepted values are:

ENCRYPT_AND_SIGN: Encrypt the value first, and then sign.
SIGN_AND_ENCRYPT: Sign the value first, and then encrypt.

org.apereo.cas.configuration.model.core.util.EncryptionJwtSigningJwtCryptographyProperties.

_{How can I configure this property?}

Configuration properties can be included and activated using the following strategies.

:information_source: Note

CAS properties can be specified using the Java configuration property syntax in any and all .properties files:

cas.clearpass.crypto.strategy-type=ENCRYPT_AND_SIGN

CAS properties can be specified using the YAML syntax:

cas: 
  clearpass: 
    crypto: 
      strategy-type: "ENCRYPT_AND_SIGN"

Note that YAML is very specific about structure and indentation. Be sure to verify the correctness of the final result with your YAML validator of choice.

CAS properties can be passed to the CAS web application as system properties, when the application is launched:

java -Dcas.clearpass.crypto.strategy-type="ENCRYPT_AND_SIGN" -jar build/libs/cas.war

CAS properties can specified as system environment variables before the CAS web application is launched:

export CAS_CLEARPASS_CRYPTO_STRATEGY_TYPE="ENCRYPT_AND_SIGN"

java -jar build/libs/cas.war

The above example assumes that the CAS web application is packaged as cas.war with an embedded server container and can be found in the build/libs directory.

CAS properties can be passed to the CAS web application as command-line arguments, when the application is launched:

java -jar build/libs/cas.war --cas.clearpass.crypto.strategy-type="ENCRYPT_AND_SIGN"

The above example assumes that the CAS web application is packaged as cas.war with an embedded server container and can be found in the build/libs directory.