Shibboleth Identity Provider version 3 går även att använda som CAS-server istället för Apereo CAS (tidigare JASIG CAS), för mer information se Use Shibboleth as a CAS server. |
Denna sida vänder sig till administratörer som har installerat en Shibboleth IdPv2 med CAS autentisering enligt instruktioner från JASIG (https://wiki.jasig.org/display/CASUM/Shibboleth-CAS+Integration).
Se denna sida som referens: https://wiki.shibboleth.net/confluence/display/SHIB2/SSO-CAS+Login+Handler.
Ladda hem och bygg ssocas-login-handler.
cd /tmp svn export https://subversion.renater.fr/ssocashandler/trunk/ ssocas-login-handler cd ssocas-login-handler mvn package cp target/ssocas-login-handler-0.8.jar /opt/shibboleth-identityprovider/lib/ |
Editera filen /opt/shibboleth-identityprovider/src/main/webapp/WEB-INF/web.xml
Lägg till följande filter
<!-- CAS Authentication Filter - forceAuthn --> <filter> <filter-name>CAS Authentication Filter - forceAuthn</filter-name> <filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class> <init-param> <param-name>casServerLoginUrl</param-name> <param-value>https://cas.example.com/cas/login</param-value> <!-- CHANGE HERE - CAS login url --> </init-param> <init-param> <param-name>renew</param-name> <param-value>true</param-value> </init-param> </filter> <!-- CAS Validation Filter - forceAuthn --> <filter> <filter-name>CAS Validation Filter - forceAuthn</filter-name> <filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class> <init-param> <param-name>casServerUrlPrefix</param-name> <param-value>https://cas.example.com/cas</param-value> <!-- CHANGE HERE - CAS url --> </init-param> <init-param> <param-name>renew</param-name> <param-value>true</param-value> </init-param> </filter> <!-- CAS Filters Mappings --> <filter-mapping> <filter-name>CAS Authentication Filter</filter-name> <url-pattern>/Authn/Cas/NoForceAuthn</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> </filter-mapping> <filter-mapping> <filter-name>CAS Validation Filter</filter-name> <url-pattern>/Authn/Cas/NoForceAuthn</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Authentication Filter - forceAuthn</filter-name> <url-pattern>/Authn/Cas/ForceAuthn</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> </filter-mapping> <filter-mapping> <filter-name>CAS Validation Filter - forceAuthn</filter-name> <url-pattern>/Authn/Cas/ForceAuthn</url-pattern> </filter-mapping> |
Byt ut följande filter
<filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/Authn/RemoteUser</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Assertion Thread Local Filter</filter-name> <url-pattern>/Authn/RemoteUser</url-pattern> </filter-mapping> |
Till
<filter-mapping> <filter-name>CAS HttpServletRequest Wrapper Filter</filter-name> <url-pattern>/Authn/Cas/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>CAS Assertion Thread Local Filter</filter-name> <url-pattern>/Authn/Cas/*</url-pattern> </filter-mapping> |
Lägg även till följande bland övriga servlet-mappings.
<servlet-mapping> <servlet-name>RemoteUserAuthHandler</servlet-name> <url-pattern>/Authn/Cas/*</url-pattern> </servlet-mapping> |
Editera filen: /opt/shibboleth-idp/conf/handler.xml
Ändra
<ph:ProfileHandlerGroup xmlns:ph="urn:mace:shibboleth:2.0:idp:profile-handler" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:mace:shibboleth:2.0:idp:profile-handler classpath:/schema/shibboleth-2.0-idp-profile-handler.xsd"> |
Till
<ph:ProfileHandlerGroup xmlns:ph="urn:mace:shibboleth:2.0:idp:profile-handler" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sclh="fr:renater:ssocashandler" xsi:schemaLocation="urn:mace:shibboleth:2.0:idp:profile-handler classpath:/schema/shibboleth-2.0-idp-profile-handler.xsd fr:renater:ssocashandler classpath:/schema/ssocasloginhandler.xsd"> |
Ändra
<ph:LoginHandler xsi:type="ph:RemoteUser"> <ph:AuthenticationMethod> urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified </ph:AuthenticationMethod> <ph:AuthenticationMethod> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport </ph:AuthenticationMethod> </ph:LoginHandler> |
Till
<ph:LoginHandler xsi:type="sclh:CentralAuthnService" casFiltersPath="/Authn/Cas"> <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</ph:AuthenticationMethod> <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod> </ph:LoginHandler> |
Bygg och installera en ny WAR-fil:
cd /opt/shibboleth-identityprovider ./install.sh |
Installera till samma sökväg som tidigare, default är: /opt/shibboleth-idp
Kom ihåg att svara nej på frågan om att skriva över befintlig konfiguration.