Configure Web-SSO using CAS authorization
1. Jetty XML Configuration
- Open $JETTY_HOME/etc/webdefault.xml file
- Add the following content to the end of file; as the last item in the root tag:
<!-- CAS Configuration: BEGIN --> <listener> <listener-class>org.jasig.cas.client.session.SingleSignOutHttpSessionListener</listener-class> </listener> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <!-- CAS Configuration: END -->
2. Jetty Properties Configuration
- For Windows:
-Open Lycia Web Server Manager application
-Add the following options to the end of Java → Java Options - For Linux:
-Open /etc/systemd/system/qx-web.service.d/qx-web.conf text file
-Add the following options to the end of an environment variable JAVA_OPTIONS
-Dcas.server.host=example.querix.com:1111 -Dcas.client.host=localhost:9443 -Dcas.client.context=LyciaWeb -Dcas.auth.privatekey=d:/work/cas_service_private.key -Dcas.auth.login=login -Dcas.auth.password=credential
*Values in the current example are default values, so if some option is omitted, the default value will be used
Property | Description |
---|---|
cas.server.host | CAS Hostname |
cas.client.host | Lycia Hostname |
cas.client.context | Lycia WebServer Context. By default, this is LyciaWeb application |
cas.auth.privatekey | Path to security private key that is used to decode password received by CAS ClearPass extension. The corresponding public key must be registered at CAS server |
cas.auth.login | Field name where login is stored. If the empty value specified, that original username id is used |
cas.auth.password | Field name where the encoded password is stored |
If you want to use a default user name from CAS instead of the specific field from attributes, you need to set cas.auth.login
property to an empty value
-Dcas.auth.login=
Important to note that Jetty works fine with sessions that have the same HTTP origin as configured in cas.client.host
property. Redirection to CAS should be performed from the same origin as CAS redirects back.
3. SSL Certificate
Java default KeyStore has to be configured to validate CAS SSL certificate
- Run
Command Prompt
as Administrator Below is the command example. Replace file path to the newly saved file (
cas_web_public.key
in the current command)keytool -importcert -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -storepass changeit -noprompt -alias "Querix CAS" -file D:/work/cas_web_public.key
Certificates
- Downloadable cas_service_private.key
- This private key used by Jetty Spring server to validate responses from the CAS server
- It's used in Jetty properties for option
-Dcas.auth.privatekey=
- Downloadable cas_web_public.key
- This public key should be added as trusted to avoid security errors when connecting to the CAS server
- It's used in SSL certificate registration for
keytool
application
4. Authentication
- Go to https://localhost:9443/LyciaWeb/
- If no session is found, you will be redirected to CAS server with a login form
- Enter Username. Use Password from your LDAP account
- You will be redirected back to https://localhost:9443/LyciaWeb/ and no further authentication is required
- You will be automatically authenticated while Jetty session is alive
5. Access to programs
By default, programs are deployed to /Lycia/progs
folder. Deploying the program itself should be done by the user with corresponding write access to this folder. The problem is secure
instance runs qrun
as a logged-in user which may not have write access to create object cache. There is a solution in case the domain users are used. In that case, we can map domain users to a local group that has access to write object cache.
To configure Domain Group access to /Lycia/progs
folder on Linux it should be mapped to a local group by the following way:
Create a UNIX group (usually in
/etc/group
); let's call itdomusr
Add to this group the users that must be Administrators. For example, if you want
joe
,john
, andmary
to be administrators, your entry in/etc/group
will look like this:domusr:x:502:joe,john,mary
Map this
domusr
group to the “Domain Users” group by executing the command:net groupmap add ntgroup="Domain Users" unixgroup=domusr rid=513 type=d
The quotes around “Domain Users” are necessary due to the space in the group name. Also, make sure to leave no white space surrounding the equal character (=).
https://www.samba.org/samba/docs/old/Samba3-HOWTO/groupmapping.html
Documentation
https://apereo.github.io/cas/6.0.x/protocol/Protocol-Overview.html
ClearPass is the faster and simpliest way to implement but highest security risks