IDP med CAS - forceAuthn

Shibboleth IdPv3

Shibboleth Identity Provider version 3 går även att använda som CAS-server istället för Apereo CAS (tidigare JASIG CAS), för mer information se Use Shibboleth as a CAS server.

 

Denna sida vänder sig till administratörer som har installerat en Shibboleth IdPv2 med CAS autentisering enligt instruktioner från JASIG (https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration).

Se denna sida som referens: https://wiki.shibboleth.net/confluence/display/SHIB2/SSO-CAS+Login+Handler.

 

Ladda hem och bygg ssocas-login-handler.

cd /tmp
svn export https://subversion.renater.fr/ssocashandler/trunk/ ssocas-login-handler
cd ssocas-login-handler
mvn package
cp target/ssocas-login-handler-0.8.jar /opt/shibboleth-identityprovider/lib/

 

Editera filen /opt/shibboleth-identityprovider/src/main/webapp/WEB-INF/web.xml

 

Lägg till följande filter

<!-- CAS Authentication Filter - forceAuthn  -->
<filter>
 <filter-name>CAS Authentication Filter - forceAuthn</filter-name>
 <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
 <init-param>
  <param-name>casServerLoginUrl</param-name>
  <param-value>https://cas.example.com/cas/login</param-value>                          <!-- CHANGE HERE - CAS login url -->
 </init-param>
 <init-param>
  <param-name>renew</param-name>
  <param-value>true</param-value>
 </init-param>
</filter>
 
<!-- CAS Validation Filter - forceAuthn -->
<filter>
 <filter-name>CAS Validation Filter - forceAuthn</filter-name>
 <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
 <init-param>
  <param-name>casServerUrlPrefix</param-name>
  <param-value>https://cas.example.com/cas</param-value>                       <!-- CHANGE HERE - CAS url -->
 </init-param>
 <init-param>
  <param-name>renew</param-name>
  <param-value>true</param-value>
 </init-param>
</filter>

<!-- CAS Filters Mappings -->
 
<filter-mapping>
 <filter-name>CAS Authentication Filter</filter-name>
 <url-pattern>/Authn/Cas/NoForceAuthn</url-pattern>
 <dispatcher>REQUEST</dispatcher> 
 <dispatcher>FORWARD</dispatcher> 
</filter-mapping>
 
<filter-mapping>
 <filter-name>CAS Validation Filter</filter-name>
 <url-pattern>/Authn/Cas/NoForceAuthn</url-pattern>
</filter-mapping>
 
 
<filter-mapping>
 <filter-name>CAS Authentication Filter - forceAuthn</filter-name>
 <url-pattern>/Authn/Cas/ForceAuthn</url-pattern>
 <dispatcher>REQUEST</dispatcher> 
 <dispatcher>FORWARD</dispatcher> 
</filter-mapping>
 
<filter-mapping>
 <filter-name>CAS Validation Filter - forceAuthn</filter-name>
 <url-pattern>/Authn/Cas/ForceAuthn</url-pattern>
</filter-mapping>

 

Byt ut följande filter

<filter-mapping>
  <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
  <url-pattern>/Authn/RemoteUser</url-pattern>
</filter-mapping>

<filter-mapping>
  <filter-name>CAS Assertion Thread Local Filter</filter-name>
  <url-pattern>/Authn/RemoteUser</url-pattern>
</filter-mapping>

Till

<filter-mapping>
 <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> 
 <url-pattern>/Authn/Cas/*</url-pattern>
</filter-mapping>

<filter-mapping>
 <filter-name>CAS Assertion Thread Local Filter</filter-name>
 <url-pattern>/Authn/Cas/*</url-pattern>
</filter-mapping>

 

Lägg även till följande bland övriga servlet-mappings.

<servlet-mapping>
    <servlet-name>RemoteUserAuthHandler</servlet-name>
    <url-pattern>/Authn/Cas/*</url-pattern>
</servlet-mapping>

 

Editera filen: /opt/shibboleth-idp/conf/handler.xml

Ändra

<ph:ProfileHandlerGroup xmlns:ph="urn:mace:shibboleth:2.0:idp:profile-handler"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:schemaLocation="urn:mace:shibboleth:2.0:idp:profile-handler classpath:/schema/shibboleth-2.0-idp-profile-handler.xsd">

Till

<ph:ProfileHandlerGroup xmlns:ph="urn:mace:shibboleth:2.0:idp:profile-handler"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xmlns:sclh="fr:renater:ssocashandler"
            xsi:schemaLocation="urn:mace:shibboleth:2.0:idp:profile-handler classpath:/schema/shibboleth-2.0-idp-profile-handler.xsd
                                fr:renater:ssocashandler classpath:/schema/ssocasloginhandler.xsd">

 

Ändra

<ph:LoginHandler xsi:type="ph:RemoteUser">
  <ph:AuthenticationMethod>
    urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
  </ph:AuthenticationMethod>
  <ph:AuthenticationMethod>
    urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
  </ph:AuthenticationMethod>
</ph:LoginHandler>

Till

<ph:LoginHandler xsi:type="sclh:CentralAuthnService" casFiltersPath="/Authn/Cas">
    <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod>
    <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
</ph:LoginHandler>

 

Bygg och installera en ny WAR-fil:

cd /opt/shibboleth-identityprovider
./install.sh

Installera till samma sökväg som tidigare, default är: /opt/shibboleth-idp

Kom ihåg att svara nej på frågan om att skriva över befintlig konfiguration.