I'm facing an issue while using a CAS architecture for one of my customers.
To resume, all web apps requires to be logged in on a CAS server to allow access.
If i go on "CAS" bookmark and manually login, then my session is created and I have access to all webapps without reauthentication.
My problem is that I want to do SSO on CAS, since the credentials are the same than used for authentication on SA.
I've tried many methods (Post, basic SSO, Remote SSO, Kerberos) with no success.
If someone here as already managed to setup SA with CAS SSO, i'd like to hear you guys
I haven't seen this yet so I cannot provide hints on the configuraiton; however, I can provide hints on finding the information needed to troubleshoot.
What you will do is take a dsrecord (Troubleshooting>Monitoring>User Sessions>Session Recording) for a user. Once you have this enabled, disable your CAS SSO policies, and login as the user you are tracing. Once you have completed login, stop the session recording and save the file. When you are looking at the text file, some things to check for:
POST: If you see a line that starts with POST, this means the site is using form POST authentication. You will see the required variables for the site listed. For example, username=user&password=pass&Log+In=Explicit.
You will take these values and set this name/value up in the POST config.
NTLM: If you see WWW-Authenticate: NTLM, you will need to configure this type of SSO at Users>Resource Policies>Web>SSO>General.
Basic auth: if you see WWW-Authenticate: Basic, you will need to configure this at the same location as NTLM.
Thanks for your help.
So it seems its a POST form:
<form id="fm1" class="fm-v clearfix" action="/cas/login;jsessionid=D342769083869FFB90EFF7812A2C9ED8.cas1" method="post">
with "username" and "password"
<label for="username" class="fl-label"><span class="accesskey">I</span>dentifiant (login) :</label>
<input id="username" name="username" class="required" tabindex="1" onchange="this.value = this.value.toLowerCase()" accesskey="i" type="text" value="" size="25" autocomplete="off"/>
<input id="password" name="password" class="required" tabindex="2" accesskey="m" type="password" value="" size="25" autocomplete="off"/>
But however the "POST" method doesnt works, maybe cause there is a session cookie negociated between server and client, the goal of this CAS server is to be the central authentication which grants ressources to all others web servers.
I have a JTAC case open, but posting here if someone already has this problematic.
Tried the post method and others with no sucess.
But, if I set up "basic SSO" for all my web ressources, once I manually log to CAS, I have SSO on all web bookrmarks (doesnt work without), but impossible to make SSO for this CAS at first...
May I add that there is more values in the POST form it seems:
<input type="hidden" name="lt" value="e1s1" />
<input type="hidden" name="_eventId" value="submit" />
<input class="btn-submit" name="submit" accesskey="l" value="SE CONNECTER" tabindex="4" type="submit" />
<input class="btn-reset" name="reset" accesskey="c" value="EFFACER" tabindex="5" type="reset" />
But I tried adding them too, no changes.
Another information which might be usefull:
<form autocomplete="off" id="fm1" class="fm-v clearfix" action="/cas/,DanaInfo=cascustomer.fr,SSL+login;jsessionid=7053970C6F6D5B5A9040DDF06BFB1170.cas1" method="post">
So, i'm not an expert in this, but it seems that this is the url where I have to post, so its modified with the jsessionid, which can explain that if its different each time, I cant specify the url to "post" in SA, since it will contains variable?
Actually its the main question I have, and my customer is not helping much.
I've tried all SSO Setups with no success, CAS is meant to be a kind of "kerberos proxy" if I have well understood the documentation I read, but Kerberos SSO is not working as well.
Thanks for your help, I'll investigate more with JTAC if no one heres already had this setup working
(And Happy New Year by the way