SSO - CAS

| Security | Apache| Shibboleth |

CAS Installation

This section explains how to configure SSO in Apache using CAS.

Adjust Apache /etc/httpd/conf/httpd.conf

ServerName server.ourdom.com:80
UseCanonicalName On

On CentOS 5, use OpenJDK 1.6.0 and Tomcat 5 from the EPEL repository

yum install java-1.6.0-openjdk java-1.6.0-openjdk-devel tomcat5

Configure default JAVA_PATH and alternatives

echo "export JAVA_HOME=/usr/lib/jvm/java-1.6.0-openjdk" > /etc/profile.d/java.sh
chmod +x /etc/profile.d/java.sh
alternatives --config java
alternatives --config javac

Configure Tomcat to use OpenJDK in /etc/sysconfig/tomcat5 and /etc/tomcat5/tomcat5.conf 

JAVA_HOME="/usr/lib/jvm/java-1.6.0-openjdk"

Create a minimum Tomcat server configuration in /etc/tomcat5/server.xml

<Server port="8005" shutdown="SHUTDOWN">
  <GlobalNamingResources>
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
       description="User database that can be updated and saved"
           factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
          pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>
  <Service name="Catalina">
    <Connector port="8080" maxHttpHeaderSize="8192" address="127.0.0.1"
               maxThreads="50" minSpareThreads="5" maxSpareThreads="15"
               enableLookups="false" redirectPort="8443" acceptCount="100"
               connectionTimeout="20000" disableUploadTimeout="true" />
    <Connector port="8009" enableLookups="false" redirectPort="8080"
               address="127.0.0.1" protocol="AJP/1.3" />
    <Engine name="Catalina" defaultHost="localhost">
      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
             resourceName="UserDatabase"/>
      <Host name="localhost" appBase="webapps"
            unpackWARs="true" autoDeploy="true"
            xmlValidation="false" xmlNamespaceAware="false" />
    </Engine>
  </Service>
</Server>

Download CAS server from http://www.jasig.org/cas/download

Deploy default test WAR

tar xzf cas-server-3.3.3-release.tar.gz
cp cas-server-3.3.3/modules/cas-server-webapp-3.3.3.war     /var/lib/tomcat5/webapps/sso.war

Restart Tomcat so that WAR is unpacked by server

chkconfig tomcat5 on
service tomcat5 restart

Configure CAS logging to /var/log/tomcat5/sso.log 

vim /var/lib/tomcat5/webapps/sso/WEB-INF/classes/log4j.properties

-log4j.appender.logfile.File=cas.log
+log4j.appender.logfile.File=/var/log/tomcat5/sso.log

Compile and deploy authentication handler for Apache password files

BASE=/var/lib/tomcat5/webapps/sso/WEB-INF
CP=.`ls -1 $BASE/lib/*.jar | awk '{printf(":%s",$1)}'`
mkdir -p $BASE/classes/org/jasig/cas/adaptors/generic/
javac -cp $CP ApacheFileAuthenticationHandler.java
mv ApacheFileAuthenticationHandler.class $BASE/classes/org/jasig/cas/adaptors/generic/

Enable authentication using Apache password files

    <property name="authenticationHandlers">
      <list>
-       <!--
-        | This is the authentication handler that authenticates services by means of callback via SSL, thereby validating
-        | a server side SSL certificate.
-        +-->
-       <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
-            p:httpClient-ref="httpClient" />
-       <!--
-        | This is the authentication handler declaration that every CAS deployer will need to change before deploying CAS 
-        | into production.  The default SimpleTestUsernamePasswordAuthenticationHandler authenticates UsernamePasswordCredentials
-        | where the username equals the password.  You will need to replace this with an AuthenticationHandler that implements your
-        | local authentication strategy.  You might accomplish this by coding a new such handler and declaring
-        | edu.someschool.its.cas.MySpecialHandler here, or you might use one of the handlers provided in the adaptors modules.
-        +-->
-       <bean
-            class="org.jasig.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler" />
+        <bean class="org.jasig.cas.adaptors.generic.ApacheFileAuthenticationHandler"
+             p:fileName="file:/etc/httpd/vhosts/users.db" />
      </list>
    </property>

Define plain-text Apache password for SSO authorization

htpasswd -p -b /etc/httpd/vhosts user pass

Make users.db readable by Apache and Tomcat only

chown apache:tomcat /etc/httpd/vhosts/users.db
chmod 640 /etc/httpd/vhosts/users.db

Configure Apache-to-Tomcat AJP connector in /etc/httpd/vhosts/sso.conf

<VirtualHost *:80>
ServerName sso.ourdom.com:80
DocumentRoot /var/www/dummy
RewriteEngine On
RewriteRule ^/(.*)$ https://sso.ourdom.com/$1
</VirtualHost>
<VirtualHost *:443>
ServerName sso.ourdom.com:443
DocumentRoot /var/www/dummy
Include vhosts/ssl.inc
ProxyPass /sso/ ajp://localhost:8009/sso/
</VirtualHost>

Install mod_auth_cas for your OS (mod_auth_cas-1.0.6-2.el5_temSudParis.i386.rpm for CentOS 5) from mod_cas RPM download page.

Configure mod_cas parameters in /etc/httpd/conf.d/auth_cas.conf

LoadModule auth_cas_module modules/mod_auth_cas.so
CASCookiePath /var/run/mod_auth_cas/
CASCertificatePath /etc/pki/ca/ca.crt
CASAllowWildcardCert On
CASLoginURL https://sso.ourdom.com/sso/login
CASValidateURL https://sso.ourdom.com/sso/serviceValidate
CASProxyValidateURL https://sso.ourdom.com/sso/proxyValidate

Secure parts of your web applications

<Location "/some/path">
 AuthType CAS
 Require valid-user
</Location>

Restart Apache

CAS Links

• How To Set Up Apache, Tomcat (mod_jk), SSO (CAS, mod_auth_cas)
• mod_auth_cas
• mod_cas RPMs
• CAS server download
• CAS practices Wiki
• DACS - lightweight CAS alternative

Attachments

ApacheFileAuthenticationHandler.java

ApacheFileAuthenticationHandler.java 29.75 KB

mod_auth_cas-1.0.7-3_ITSudParis.src.rpm

mod_auth_cas-1.0.7-3_ITSudParis.src.rpm 26.02 KB