Configure Web-SSO using CAS authorization

1. Jetty XML Configuration

  • Open $JETTY_HOME/etc/webdefault.xml​ file
  • Add the following content to the end of file; as the last item in the root tag:
<!-- CAS Configuration: BEGIN -->
<listener>
  <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class>
</listener>
<listener>
  <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- CAS Configuration: END -->

2. Jetty Properties Configuration

  • For Windows:
    -Open Lycia Web Server Manager​ application
    -Add the following options to the end of ​Java → Java Options
  • For Linux:
    -Open /etc/systemd/system/qx-web.service.d/qx-web.conf​ text file
    -Add the following options to the end of an environment variable JAVA_OPTIONS
-Dcas.server.host=example.querix.com:1111
-Dcas.client.host=localhost:9443
-Dcas.client.context=LyciaWeb
-Dcas.auth.privatekey=d:/work/cas_service_private.key
-Dcas.auth.login=login
-Dcas.auth.password=credential

*Values in the current example ​are default​ values, so if some option is omitted, the default value will be used

PropertyDescription
cas.server.hostCAS Hostname
cas.client.hostLycia Hostname
cas.client.contextLycia WebServer Context. By default, this is LyciaWeb application
cas.auth.privatekeyPath to security private key that is used to decode password received by CAS ClearPass extension. The corresponding public key must be registered at CAS server
cas.auth.loginField name where login is stored. If the empty value specified, that original username id is used
cas.auth.passwordField name where the encoded password is stored

If you want to use a default user name from CAS instead of the specific field from attributes, you need to set cas.auth.login property to an empty value

-Dcas.auth.login=

Important to note that Jetty works fine with sessions that have the same HTTP origin as configured in cas.client.host property. Redirection to CAS should be performed from the same origin as CAS redirects back.

3. SSL Certificate

Java default KeyStore has to be configured to validate CAS SSL certificate

  • Run Command Prompt as Administrator
  • Below is the command example. Replace file path to the newly saved file (cas_web_public.key in the current command)

    keytool -importcert -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -storepass changeit -noprompt -alias "Querix CAS" -file D:/work/cas_web_public.key

Certificates

  • Downloadable cas_service_private.key
    • This private key used by Jetty Spring server to validate responses from the CAS server
    • It's used in Jetty properties for option -Dcas.auth.privatekey=
  • Downloadable cas_web_public.key
    • This public key should be added as trusted to avoid security errors when connecting to the CAS server
    • It's used in SSL certificate registration for keytool application

4. Authentication

  • Go to https://localhost:9443/LyciaWeb/
  • If no session is found, you will be redirected to CAS server with a login form
  • Enter Username. Use Password from your LDAP account
  • You will be redirected back to https://localhost:9443/LyciaWeb/ and no further authentication is required
  • You will be automatically authenticated while Jetty session is alive

5. Access to programs

By default, programs are deployed to /Lycia/progs folder. Deploying the program itself should be done by the user with corresponding write access to this folder. The problem is secure instance runs qrun as a logged-in user which may not have write access to create object cache. There is a solution in case the domain users are used. In that case, we can map domain users to a local group that has access to write object cache.

To configure Domain Group access to /Lycia/progs folder on Linux it should be mapped to a local group by the following way:

  • Create a UNIX group (usually in /etc/group); let's call it domusr

  • Add to this group the users that must be Administrators. For example, if you want joe, john, and mary to be administrators, your entry in /etc/group will look like this:

    domusr:x:502:joe,john,mary
  • Map this domusr group to the “Domain Users” group by executing the command:

    net groupmap add ntgroup="Domain Users" unixgroup=domusr rid=513 type=d

    The quotes around “Domain Users” are necessary due to the space in the group name. Also, make sure to leave no white space surrounding the equal character (=).

    https://www.samba.org/samba/docs/old/Samba3-HOWTO/groupmapping.html

Documentation

https://apereo.github.io/cas/6.0.x/protocol/Protocol-Overview.html

proxy web flow diagram

kerberos cas ad

ClearPass is the faster and simpliest way to implement but highest security risks