cancel
Showing results for 
Search instead for 
Did you mean: 

SSO using a CAS server

Occasional Contributor

SSO using a CAS server

Hi,

I'm facing an issue while using a CAS architecture for one of my customers.

To resume, all web apps requires to be logged in on a CAS server to allow access.

If i go on "CAS" bookmark and manually login, then my session is created and I have access to all webapps without reauthentication.

My problem is that I want to do SSO on CAS, since the credentials are the same than used for authentication on SA.

I've tried many methods (Post, basic SSO, Remote SSO, Kerberos) with no success.

If someone here as already managed to setup SA with CAS SSO, i'd like to hear you guys Smiley Happy

 

Regards,

Vincent

10 REPLIES 10
Highlighted
Respected Contributor

Re: SSO using a CAS server

I haven't seen this yet so I cannot provide hints on the configuraiton; however, I can provide hints on finding the information needed to troubleshoot.

What you will do is take a dsrecord (Troubleshooting>Monitoring>User Sessions>Session Recording) for a user. Once you have this enabled, disable your CAS SSO policies, and login as the user you are tracing. Once you have completed login, stop the session recording and save the file. When you are looking at the text file, some things to check for:

 

POST: If you see a line that starts with POST, this means the site is using form POST authentication. You will see the required variables for the site listed. For example, username=user&password=pass&Log+In=Explicit.

You will take these values and set this name/value up in the POST config.

 

NTLM: If you see WWW-Authenticate: NTLM, you will need to configure this type of SSO at Users>Resource Policies>Web>SSO>General. 

 

Basic auth: if you see WWW-Authenticate: Basic, you will need to configure this at the same location as NTLM.

Occasional Contributor

Re: SSO using a CAS server

Hi,

 

Thanks for your help.

 

So it seems its a POST form:

<form id="fm1" class="fm-v clearfix" action="/cas/login;jsessionid=D342769083869FFB90EFF7812A2C9ED8.cas1" method="post">

with "username" and "password"

<label for="username" class="fl-label"><span class="accesskey">I</span>dentifiant (login) :</label>

<input id="username" name="username" class="required" tabindex="1" onchange="this.value = this.value.toLowerCase()" accesskey="i" type="text" value="" size="25" autocomplete="off"/>

<input id="password" name="password" class="required" tabindex="2" accesskey="m" type="password" value="" size="25" autocomplete="off"/>

 

But however the "POST" method doesnt works, maybe cause there is a session cookie negociated between server and client, the goal of this CAS server is to be the central authentication which grants ressources to all others web servers.

I have a JTAC case open, but posting here if someone already has this problematic.

 

Tried the post method and others with no sucess.

But, if I set up "basic SSO" for all my web ressources, once I manually log to CAS, I have SSO on all web bookrmarks (doesnt work without), but impossible to make SSO for this CAS at first...

Occasional Contributor

Re: SSO using a CAS server

May I add that there is more values in the POST form it seems:

                        <input type="hidden" name="lt" value="e1s1" />
                        <input type="hidden" name="_eventId" value="submit" />

                        <input class="btn-submit" name="submit" accesskey="l" value="SE CONNECTER" tabindex="4" type="submit" />
                        <input class="btn-reset" name="reset" accesskey="c" value="EFFACER" tabindex="5" type="reset" />

 

But I tried adding them too, no changes.

Occasional Contributor

Re: SSO using a CAS server

Another information which might be usefull:

<form autocomplete="off" id="fm1" class="fm-v clearfix" action="/cas/,DanaInfo=cascustomer.fr,SSL+login;jsessionid=7053970C6F6D5B5A9040DDF06BFB1170.cas1" method="post">

 

So, i'm not an expert in this, but it seems that this is the url where I have to post, so its modified with the jsessionid, which can explain that if its different each time, I cant specify the url to "post" in SA, since it will contains variable?

Respected Contributor

Re: SSO using a CAS server

It looks like this is using JavaScript for the POST/information to send the login information. This is not supported as it is not a standard HTML form POST, which is the requirement for POST-based SSO. Are there other options, such as Basic or NTLM, for authentication that can be used?

Occasional Contributor

Re: SSO using a CAS server

Actually its the main question I have, and my customer is not helping much.

 

I've tried all SSO Setups with no success, CAS is meant to be a kind of "kerberos proxy" if I have well understood the documentation I read, but Kerberos SSO is not working as well.

 

Thanks for your help, I'll investigate more with JTAC if no one heres already had this setup working

 

(And Happy New Year by the way Smiley Wink

Respected Contributor

Re: SSO using a CAS server

Happy New Year to you as well.
Yes, your best bet at this point is to work with JTAC. Based on what information is available this cannot be done as there is no POST but a JavaScript process that handles login.
Respected Contributor

Re: SSO using a CAS server

It looks like this is using JavaScript for the POST/information to send the login information. This is not supported as it is not a standard HTML form POST, which is the requirement for POST-based SSO. Are there other options, such as Basic or NTLM, for authentication that can be used?

Re: SSO using a CAS server

Any new information on this?  I have the same requirement.