The Central Authentication Service (CAS) is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. The name CAS also refers to a software package that implements this protocol.
In this blog, you can find steps for setting up CAS server and integration with Confluence.
Environment Details and Software Versions:
- Ubuntu 12.04 LTS.
- Jasig CAS 3.5.2.
- Confluence 5.9.8, Confluence 5.9.9.
Prerequisite :
- Basic Knowledge of Confluence system and CAS Server.
Step-1: Setup a CAS server. You can find the steps to setup CAS from the following Blog.
http://www.surekhatech.com/blog/liferay-sso-integration
Step-2: Stop the Confluence system and add “cas-client-core-3.3.3.jar” and “cas-client-integration-atlassian-3.3.3.jar” in $CONFLUENCE_INSTALL/WEB-INF/lib.
Step-3: Add the following cas client filter configuration to the end of the filter list in $CONFLUENCE_INSTALL/WEB-INF/web.xml
<filter>
<filter-name>CasSingleSignOutFilter</filter-name>
<filter-class>org.jasig.cas.client.session.SingleSignOutFilter</filter-class>
</filter>
<filter>
<filter-name>CasAuthenticationFilter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>https://cas.company.com/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://wiki.company.com</param-value>
</init-param>
</filter>
<filter>
<filter-name>CasValidationFilter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas20ProxyReceivingTicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>https://cas.company.com/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://wiki.company.com</param-value>
</init-param>
<init-param>
<param-name>redirectAfterValidation</param-name>
<param-value>true</param-value>
</init-param>
</filter>
Step-4: Before the login filter-mapping add the following CAS client filter mapping in $CONFLUENCE_INSTALL/WEB-INF/web.xml
<filter-mapping>
<filter-name>CasSingleSignOutFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CasAuthenticationFilter</filter-name>
<url-pattern>/login.action</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CasValidationFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Step-5: Add the Single Sign Out listener to the list of listener list too in $CONFLUENCE_INSTALL/WEB-INF/web.xml
<listener>
<listener-class>
org.jasig.cas.client.session.SingleSignOutHttpSessionListener
</listener-class>
</listener>
Step-6: Modify the following in $CONFLUENCE_INSTALL/WEB-INF/classes/seraph-config.xml
<init-param>
<param-name>login.url</param-name>
<!--<param-value>/login.action?os_destination=${originalurl}</param-value>-->
<param-value>https://cas.company.com/cas/login?service=${originalurl}</param-value>
</init-param>
<init-param>
<param-name>link.login.url</param-name>
<!--<param-value>/login.action</param-value>-->
<param-value>https://cas.company.com/cas/login?service=${originalurl}</param-value>
</init-param>
Step-7: Comment out the DefaultAuthenticator and add JASIG CAS Confluence Authenticator in $CONFLUENCE_INSTALL/WEB-INF/classes/seraph-config.xml
<authenticator class="org.jasig.cas.client.integration.atlassian.Confluence35CasAuthenticator"/>
Step-8: Configure CAS Logout instead of Confluence logout:
- Copy “$CONFLUENCE_INSTALL/WEB-INF/lib/confluence-5.9.9.jar” to a temporary directory.
- Unpack the jar.
- Copy xwork.xml to $CONFLUENCE_INSTALL/WEB-INF/classes.
- Edit $CONFLUENCE_INSTALL/WEB-INF/classes/xwork.xml, find the logout action and comment out the success result and replace it as shown below.
<action name="logout" class="com.atlassian.confluence.user.actions.LogoutAction">
<interceptor-ref name="defaultStack"/>
<result name="error" type="velocity">/logout.vm</result>
<!-- <result name="success" type="redirect">${logoutUrl}</result> -->
<result name="success" type="redirect"> https://cas.company.com/cas/logout?service=https://wiki.company.com
</result>
</action>
Step-9: Add JVM certificate in $CONFLUENCE_INSTALL/jre/lib/security/cacerts
sudo keytool -import -keystore $CONFLUENCE_INSTALL/jre/lib/security/cacerts -alias cas_cert -file /etc/certificate-directory/certificate
Step-10: Set environment variable in $CONFLUENCE_INSTALL/bin/setenv.sh
JAVA_OPTS="-Djavax.net.ssl.trustStore=$CONFLUENCE_INSTALL/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit"
Step-11: Finally, restart Confluence system. Now your Confluence system is ready for CAS authentication.
For more implementation details or support you may contact us at [email protected].
For professional paid support, you may contact us at [email protected] .