The CAS protocol is our preferred protocol for authentication and single sign-on: it’s easy to understand, easy to configure, and “just works.” Unfortunately, while CAS is pretty well supported by applications and services designed for the higher education market, is is much less widely supported by applications and services targeted mainly at the corporate world. These applications and services typically use the SAML2 protocol instead. Prior to CAS 5, supporting both protocols together required setting up a Shibboleth server alongside the CAS server, and configuring one server to use the other as its authentication source. Although this more or less worked, it was difficult to manage, and didn’t handle all aspects of single sign-on (especially single log-out) very cleanly.
It’s important to understand two terms when talking about SAML, Identity Provider and Service Provider:
Identity Provider (IdP) | A SAML Identity Provider (IdP) is a service that authenticates users (“principals”) by means such as usernames, passwords, and multi-factor authentication schemes. An authenticated user is given a security token that he or she can present to service providers (SPs, see below) to gain access to their services. The IdP also accepts users’ security tokens from SPs and returns an indication of whether or not they are valid. CAS 5 has added full native SAML2 support, enabling the CAS server to function as an IdP and eliminating our dependency on Shibboleth. |
Service Provider (SP) | A SAML Service Provider (SP) is an entity that provides web services to users. When a user attempts to access the service, he or she must present the service with a security token generated by a recognized IdP. The SP validates the token with the IdP. If the user does not have a token, or the presented token is invalid, the SP sends the user to the IdP to obtain a new one. The SAML client that we will build in the next section will be our SP for testing purposes. |
Add the SAML2 IdP dependency to the project object model
To add SAML2 IdP support to the CAS server, edit the file pom.xml
in the cas-overlay-template
directory on the master build server (casdev-master) and locate the dependencies section (around line 69), which should look something like this:
<dependencies>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-webapp${app.server}</artifactId>
<version>${cas.version}</version>
<type>war</type>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-json-service-registry</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-ldap</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-saml</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-duo</artifactId>
<version>${cas.version}</version>
</dependency>
</dependencies>
Insert the new dependency for the SAML2 IdP support just after the cas-server-support-saml
dependency added previously:
<dependencies>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-webapp${app.server}</artifactId>
<version>${cas.version}</version>
<type>war</type>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-json-service-registry</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-ldap</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-saml</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-saml-idp</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-duo</artifactId>
<version>${cas.version}</version>
</dependency>
</dependencies>
This will instruct Maven to download the appropriate code modules and build them into the server.
cas-server-support-saml
enables support for returning user attributes to client applications; cas-server-support-saml-idp
enables support for using the CAS server as a SAML2 Identity Provider. Both dependencies should be included in pom.xml
.Rebuild the server
Run Maven to rebuild the server according to the new model:
casdev-master# ./mvnw clean package
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building cas-overlay 1.0
[INFO] ------------------------------------------------------------------------
(lots of diagnostic output... check for errors)
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:00 min
[INFO] Finished at: YYYY-MM-DDTHH:MM:SS-00:00
[INFO] Final Memory: 35M/84M
[INFO] ------------------------------------------------------------------------
casdev-master#