The Central Authentication Service (CAS) is a single sign-on protocol for the web. Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password. The name CAS also refers to a software package that implements this protocol.
In this blog, you can find steps for setting up CAS server and integration with Alfresco.
Environment Details and Software Versions:
Prerequisite :
Step-1: Setup a CAS server. You can find the steps to setup CAS from the following Blog:
http://www.surekhatech.com/blog/liferay-sso-integration
Step-2: Configure CAS Mod Auth in Apache web server:
-
Use below commands one by one to create and enable mod for cas authentication.
-
sudo apt-get install libapache2-mod-auth-cas
-
sudo a2enmod auth_cas
-
Remove all the content from auth_cas.conf file which is available in etc/apache2/mods-available.
-
Add the following content in auth_cas.conf file:
CASVersion 2
CASCookiePath /var/cache/apache2/mod_auth_cas/
CASLoginURL https://sso.cas.edu/cas/login
CASValidateURL https://sso.cas.edu/cas/serviceValidate
CASValidateServer Off
CASDebug On
CASCertificatePath /etc/apache2/ssl/sso.cas.edu.crt
<LocationMatch ^/alfresco/(?!service/|service$|webdav/|webdav$|s/|s$|scripts/|css/|images/).*>
AuthType CAS
AuthName "CAS"
require valid-user
CASAuthNHeader SsoUserHeader
CASScope /alfresco
</LocationMatch>
<Location /share>
AuthType CAS
AuthName "CAS"
require valid-user
CASAuthNHeader SsoUserHeader
CASScope /share
</Location>
<Location /examples>
AuthType CAS
AuthName "CAS"
require valid-user
CASAuthNHeader SsoUserHeader
CASScope /examples
</Location>
Update CASLoginURL, CASValidateURL and CASCertificatePath as per your configuration.
Step-3: Configure Authentication certificates in JVM and TOMCAT:
a. Use below command to import certificate in JVM.
sudo keytool -import -keystore/usr/lib/jvm/java-7-oracle/jre/lib/security/cacerts -alias cas_cert -file /etc/apache2/ssl/sso.cas.edu.crt
b. Edit alfresco/tomcat/bin/setenv.sh file.
JAVA_OPTS="-Djavax.net.ssl.trustStore=/usr/lib/jvm/java-7-oracle/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=changeit $JAVA_OPTS "
c. Edit alfresco/tomcat/conf/server.xml file.
<Connector port="8009" URIEncoding="UTF-8" protocol="AJP/1.3" redirectPort="8443"
tomcatAuthentication="false"/>
Step-4: Update Alfresco Global properties:
Update “/alfresco/tomcat/shared/classes/alfresco-global.properties" file with/for the following content:
authentication.chain=external1:external
external.authentication.proxyUserName=
external.authentication.enabled=true
external.authentication.defaultAdministratorUserNames=admin
external.authentication.proxyHeader=SsoUserHeader
Step-5: Update Alfresco Share Configuration:
Edit “alfresco/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml“ file:
Uncomment following tag, which will be at the last config section in file.
<config evaluator="string-compare" condition="Remote">
</config>
Update following two tags inside it:
<connector>
<id>alfrescoHeader</id>
<name>Alfresco Connector</name>
<description>Connects to an Alfresco instance using header and cookie-based authentication</description>
<class>org.alfresco.web.site.servlet.SlingshotAlfrescoConnector</class>
<userHeader>SsoUserHeader</userHeader>
</connector>
<endpoint>
<id>alfresco</id>
<name>Alfresco - user access</name>
<description>Access to Alfresco Repository WebScripts that require user authentication</description>
<connector-id>alfrescoHeader</connector-id>
<endpoint-url>http://localhost:8080/alfresco/wcs</endpoint-url>
<identity>user</identity>
<external-auth>true</external-auth>
</endpoint>
Step-6: Add Dependencies for CAS Integration:
Add below jar files into alfresco/tomcat/lib directory.
-
cas-client-core-3.2.1.jar
-
commons-logging-1.1.jar
-
cas-client-integration-tomcat-common-3.2.1.jar
-
cas-client-integration-tomcat-v6-3.2.1.jar
You can find cas-client-core-3.2.1.jar and commons-logging-1.1.jar from your CAS installation /opt/TOMCAT/webapps/SSO/WEB-INF/lib directory whereas cas-client-integration-tomcat-v63.2.1.jar and cas-client-integration-tomcat-common-3.2.1.jar can be download.
For more implementation details or support you may contact us at [email protected].
For professional paid support, you may contact us at [email protected] .