Single sign-on (SSO) using CAS

Yanel supports SSO using CAS, whereas it is implemented as a custom web authenticator. A sample configuration can be found at src/realms/yanel-website/realm.xml.

Installing and running the CAS webapp

The following steps describe how to setup the CAS webapp independent of Yanel:

  • Download the CAS webapp, e.g. http://downloads.jasig.org/cas/cas-server-3.5.2-release.tar.gz
  • Install the CAS webapp, whereas see cas-server-3.5.2/INSTALL.txt or just copy cas-server-3.5.2/modules/cas-server-webapp-3.5.2.war into your Tomcat webapps directory, e.g. apache-tomcat-7.0.25/webapps, whereas this Tomcat can be another instance than the one which is running the Yanel webapp (if so, then just make sure that there are no port conflicts).
  • Make sure that the Tomcat running the CAS webapp has SSL enabled.
  • Startup the CAS webapp and access it, e.g.
    • ./apache-tomcat-7.0.25/bin/startup.sh
    • https://127.0.0.1:7443/cas-server-webapp-3.5.2
    • tail -F cas.log
  • In order to have logout redirect working, one has to set inside apache-tomcat-7.0.25/webapps/cas-server-webapp-3.5.2/WEB-INF/cas-servlet.xml the attribute followServiceRedirects to true (please make sure to restart Tomcat)
  • In order to allow CAS proxy tickets, one has to add the certificate of Tomcat running Yanel as trusted certificate to the Tomcat running CAS:
    • Export certificate from keystore (whereas use 'yanelPassword' as password): keytool -export -alias Tomcat -keystore local/apache-tomcat-7.0.25/yanel.keystore -file yanel_cert
    • Create truststore: keytool -import -alias Tomcat -keystore yanel.truststore -file yanel_cert -storepass 123456 -trustcacerts
    • Configure Tomcat running CAS webapp to use this truststore JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/Users/michaelwechner/yanel.truststore -Djavax.net.ssl.trustStorePassword=yanelPassword" inside apache-tomcat-7.0.25/bin/catalina.sh (please make sure to restart Tomcat)
    • Make sure that the hostname of the proxyCallback URL configured (e.g. inside src/realms/yanel-website/realm.xml) is the same as the common name of the certificate (see certificate.common.name inside src/build/(local.)build.properties)
  • In the case the proxied webapp is not accessed right away by Yanel, then one should increase timeToKillInSeconds inside apache-tomcat-7.0.25/webapps/cas-server-webapp-3.5.2/WEB-INF/spring-configuration/ticketExpirationPolicies.xml.
    • Also in case the proxied webapp would like to validate the proxy ticket for every request, then one has to increase the parameter numberOfUses.

Testing/using CAS together with Yanel

  • Shutdown Yanel
  • Uncomment the CAS web authenticator configuration inside src/realms/yanel-website/realm.xml and make sure that the various CAS URLs are correct
  • Make sure that Yanel itself has been setup with SSL.
  • Startup Yanel and access https://127.0.0.1:8443/yanel/yanel-website/en/about.html?yanel.toolbar=on
  • You should be redirected to the CAS webapp login screen, where you can enter the following credentials
    • Username: lenya
    • Password: lenya
  • You should be redirected back to Yanel and see the Yanel toolbar.

Debugging

  • In order to debug the responses of CAS, set the debug element of the web authenticator configuration to true (see for example src/realms/yanel-website/realm.xml) and then the responses will be logged at local/apache-tomcat-7.0.25/temp
  • Debug the CAS webapp itself by using tail -F cas.log from where you have the Tomcat started which is running the CAS webapp.
  • Debug the Yanel components accessing CAS: tail -F logs/log4j-cnode1.log

Using the Yanel login screen instead the CAS webapp login screen

In order to use the Yanel login screen set the attribute redirect to false inside the CAS web authenticator configuration, e.g. src/realms/yanel-website/realm.xml.



Your comments are much appreciated

Is the content of this page unclear or you think it could be improved? Please add a comment and we will try to improve it accordingly.